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Abstract 

The  simulation  paradigm,  introduced  by  Goldwasser,  Micali  and  Rackoff,  is  of  fundamental 
importance  to  modern  cryptography.  In  a  breakthrough  work  from  2001,  Barak  (FOCS’Ol) 
introduced  a  novel  non-black-box  simulation  technique.  This  technique  enabled  the  construc¬ 
tion  of  new  cryptographic  primitives,  such  as  resettably-sound  zero-knowledge  arguments,  that 
cannot  be  proven  secure  using  just  black-box  simulation  techniques. 

The  work  of  Barak  and  its  follow-ups,  however,  all  require  stronger  cryptographic  hardness 
assumptions  than  the  minimal  assumption  of  one-way  functions:  the  work  of  Barak  requires  the 
existence  of  collision-resistant  hash  functions,  and  a  very  recent  result  by  Bitansky  and  Paneth 
(FOCS’12)  instead  requires  the  existence  of  an  Oblivious  Transfer  protocol. 

In  this  work,  we  show  how  to  perform  non-black-box  simulation  assuming  just  the  exis¬ 
tence  of  one-way  functions.  In  particular,  we  demonstrate  the  existence  of  a  constant-round 
resettably-sound  zero-knowledge  argument  based  only  on  the  existence  of  one-way  functions. 
Using  this  technique,  we  determine  necessary  and  sufficient  assumptions  for  several  other  no¬ 
tions  of  resettable  security  of  zero-knowledge  proofs.  An  additional  benefit  of  our  approach  is 
that  it  seemingly  makes  practical  implementations  of  non-black-box  zero-knowledge  viable. 
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1  Introduction 

Zero-knowledge  (ZK)  interactive  protocols  [GMR89]  are  paradoxical  constructs  that  allow  one  player 
(called  the  Prover)  to  convince  another  player  (called  the  Verifier)  of  the  validity  of  a  mathematical 
statement  while  providing  zero  additional  knowledge  to  the  Verifier.  Beyond  being  fascinating 

in  their  own  right,  ZK  proofs  have  numerous  cryptographic  applications  and  are  one  of  the  most 
fundamental  cryptographic  building  blocks. 

The  zero-knowledge  property  is  formalized  using  the  so-called  simulation  paradigm :  for  every 
malicious  verifier  V*,  we  require  the  existence  of  a  “simulator”  S  that,  given  just  the  input  x,  can 
indistinguishably  reproduce  the  view  of  V*  in  an  interaction  with  the  honest  prover.  (We  note 
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that  the  simulation  paradigm  extends  well  beyond  the  notion  of  zero-knowledge,  and  is  a  crucial 
component  of  modern  definitions  of  protocol  security.)  The  most  typical  way  of  performing  such 
a  simulation  is  using  black-box  simulation  [G094]:  here  we  exhibit  a  universal  simulator  S  that, 
given  only  black-box  access  to  any  (efficient)  V* ,  can  reproduce  the  view  of  V*  in  an  interaction 
with  the  honest  prover.  Indeed  most  zero-knowledge  protocols  (and  more  generally  protocols  for 
secure  computation)  are  analyzed  using  black-box  simulators.  But  several  limitations  of  black-box 
simulators  are  also  known;  see  e.g.  [GK96,  CKPR01,  BGGL01,  PTV08]. 

In  a  breakthrough  result  from  2001,  Barak  [BarOl]  demonstrated  a  new,  powerful  non-black- 
box  simulation  technique,  and  used  this  technique  to  construct  a  constant-round  public-coin  zero- 
knowledge  argument;  by  the  result  of  [GK96]  such  protocols  cannot  be  proved  zero-knowledge  using 
just  black-box  simulation.  In  the  same  year,  Barak,  Goldwasser,  Goldreich  and  Lindell  [BGGL01] 
demonstrated  that  this  non-black-box  simulation  technique  could  be  used  to  acheive  a  new  crypto¬ 
graphic  primitive  that  cannot  be  proven  secure  using  black-box  simulation,  namely  resettably-sound 
zero-knowledge  protocols.  In  a  resettably-sound  zero-knowledge  protocol,  the  soundness  property  is 
required  to  hold  even  if  the  malicious  prover  is  allowed  to  “reset”  and  “restart”  the  verifier.  This 
model  is  particularly  relevant  for  cryptographic  protocols  being  executed  on  embedded  devices, 
such  as  smart  cards.  (Since  these  devices  have  neither  a  built-in  power  supply,  nor  a  non-volatile 
rewritable  memory,  they  can  be  “reset”  by  simply  disconnecting  and  reconnecting  the  power  sup¬ 
ply.)  Roughly  speaking,  the  reason  why  non-black-simulation  is  cruicial  for  resettably-sound  zero- 
knowledge  protocols  is  that  a  black-box  simulator  has  essentially  the  same  “powers”  as  a  malicious 
resetting  prover  (i.e.,  it  can  only  reset  and  restart  the  verifier);  from  this  observation  it  follows 
that,  unless  L  G  BPP,  a  “good”  simulator  can  be  as  a  successful  cheating  prover.  Since  these  re¬ 
sults,  non-black-box  simulation  techniques  have  found  applications  in  various  other  contexts  (see 
e.g.  [BG02,  Pas04,  PR05,  DGS09]). 

One  important  limitation  of  the  non-black-box  simulation  technique  of  Barak  [BarOl]  (also 
present  in  its  follow-up  works)  is  that  the  technique  requires  stronger  assumptions  than  those  typi¬ 
cally  needed  for  constructing  zero-knowledge  protocols.  In  particular,  the  protocol  of  Barak  (using 
the  refinement  in  [BG02])  relies  on  the  existence  of  families  of  collision-resistant  hash  functions 
(CRH),  and  as  a  consequence,  such  hash  functions  are  needed  in  the  above  applications  too.1 
In  contrast,  for  “plain”  zero-knowledge  (i.e.,  without,  for  instance,  resettable  soundness)  one-way 
functions  are  both  sufficient  and  necessary  [GMW91,  HILL99,  OW93],  leaving  open  the  following 
question,  which  is  the  focus  of  this  work. 

Do  one-way  functions  suffice  for  performing  non-black-box  simulation  (for  primitives 

that  cannot  be  proven  secure  using  black-box  simulation  techniques)? 

A  very  recent  elegant  work  by  Bitansky  and  Paneth  [BP  12]  takes  us  a  step  closer  to  answering 
this  question.  They  present  a  resettably-sound  zero-knowledge  argument  without  relying  on  hash 
functions;  instead,  they  rely  on  the  existence  of  an  oblivious  transfer  (OT)  protocol.  Although, 
the  existence  of  an  OT  protocol  is  seemingly  a  more  “complex”  assumption  than  the  existence  of 
CRHs,2  it  is  not  known  whether  the  existence  of  an  OT  protocol  implies  the  existence  of  CRH  (or 

1The  original  protocol  of  Barak  relies  on  a  very  slightly  super-polynomially  hard  collision-resistant  hash  function; 
the  need  for  super-polynomial  hardness  was  removed  in  [BG02] 

2For  instance,  all  candidate  constructions  of  OT  protocols  rely  on  “structured”,  number-theoretic  or  lattice-based, 
assumptions.  Additionally,  all  these  assumptions  are  known  to  imply  also  the  existence  of  collision-resistance  hash 
function  (but  the  converse  is  not  true). 
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vice  versa).  More  important,  to  achieve  this  result,  Bitansky  and  Paneth  devise  a  quite  different 
method  for  performing  non-black-box  simulation. 

1.1  Our  Result 

In  this  work,  we  answer  the  above  question  in  the  affirmative.  We  show  that  for  the  case  of 
resettably-sound  zero-knowledge,  the  existence  of  one-way  functions  suffices. 

Theorem  1  (Main  Theorem).  Assume  the  existence  of  one-way  function.  Then  there  exists  a 
constant-round  resettably-sound  zero-knowledge  argument  for  all  of  NP. 

Interestingly,  our  protocol  is  quite  close  in  spirit  to  Barak’s  original  protocol,  while  dispensing 
of  the  need  for  collision-resistant  hash  functions. 

By  relying  on  the  above  main  theorem,  we  establish  several  other  results  on  resettable  security: 
Assuming  one-way  functions,  all  of  NP  has 

•  a  constant-round  resettably-witness-indistinguishable  argument  of  knowledge; 

•  a  0(logn)-round  resettable-zero-knowledge  argument  of  knowledge. 

(Roughly  speaking,  in  a  resettably-witness  indistinguishable  (resp.,  zero-knowledge)  argument,  the 
witness-indistinguishability  (resp.,  zero-knowledge)  property  is  required  to  hold  also  in  the  presence 
of  a  resetting  verifier.  For  the  above-mentioned  primitives,  previous  results  required  additional 
cryptographic  assumptions  (the  existence  of  collision-resistant  hash-functions  or  oblivious  transfer 
protocols).  We  additionally  show  how  to  eliminate  the  needs  for  CRHs  in  the  construction  of 
[DGS09]  of  a  simultaneously  resettable  zero-knowledge  argument  for  NP — simultaneous  resettability 
here  means  that  security  (both  zero-knowledge  and  soundness)  holds  even  with  respect  to  resetting 
attackers. 

We  emphasize  that  for  all  the  above  results,  the  use  of  non-black-box  techniques  are  inherent. 
Our  results  lead  to  improvements  also  for  cases  when  black-box  simulation  can  be  used:  prior  to  our 
results,  resettable  zero-knowledge  arguments  (without  the  argument  of  knowledge  property)  were 
known  only  based  on  the  existence  of  CRHs,  but  these  protocols  were  actually  proven  secure  using 
black-box  simulation.  As  mentioned  above,  we  are  able  to  establish  even  the  stronger  notion  of  a 
resettable  zero-knowledge  argument  of  knowledge  assuming  only  one-way  functions. 

1.2  Our  Techniques 

To  explain  our  techniques,  let  us  start  by  very  briefly  recalling  the  idea  behind  Barak’s  constant- 
round  public-coin  protocol;  we  will  then  explain  how  this  protocol  is  used  to  get  a  resettably-sound 
zero-knowledge  protocol.  The  protocol  relies  on  the  existence  of  a  family  of  collision-resistant  hash 
function  h  :  {0, 1}*  — >  {0,  l}n;  note  that  any  such  family  of  collision-resistant  hash  functions  can  be 
implemented  from  a  family  of  collision-resistant  hash  functions  mapping  n-bit  string  into  n/2-bit 
strings  using  tree  hashing  [Mer89]. 

Roughly  speaking,  on  common  input  I n  and  x  £  {0, 1  }poW(”)  ,  the  pr0ver  P  and  Verifier  V, 
proceed  in  two  stages.  In  Stage  1,  V  starts  by  selecting  a  function  h  from  a  family  of  collision- 
resistant  hash  function  and  sends  it  to  P;  P  next  sends  a  commitment  c  =  Com(0n)  of  length 
n,  and  finally,  V  next  sends  a  “challenge”  r  £  {0,  l}2n.  In  Stage  2,  P  shows  (using  a  witness 
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indistinguishable  argument  of  knowledge)  that  either  x  is  true,  or  that  c  is  a  commitment  to  a 
“hash”  (using  h )  of  a  program  M  (i.e.,  c  =  Com (h(M))  such  that  M(c)  =  r. 

Roughly  speaking,  soundness  follows  from  the  fact  that  even  if  a  malicious  prover  P*  tries  to 
commit  to  (the  hash  of)  some  program  M  (instead  of  committing  to  0"),  with  high  probability,  the 
string  r  sent  by  V  will  be  different  from  M(c)  (since  r  is  chosen  independently  of  c).  To  prove  ZK, 
consider  the  non-black-box  simulator  S  that  commits  to  a  hash  of  the  code  of  the  malicious  verifier 
V*;  note  that,  by  definition,  it  thus  holds  that  M(c)  =  r,  and  the  simulator  can  use  c  as  a  “fake” 
witness  in  the  final  proof.  To  formalize  this  approach,  the  witness  indistinguishable  argument  in 
Stage  2  must  actually  be  a  witness  indistinguishable  universal  argument  (WIUARG)  [MicOO,  BG02] 
since  the  statement  that  c  is  a  commitment  to  a  program  M  of  arbitrary  polynomial-size,  and  that 
proving  M(c)  =  r  within  some  arbitrary  polynomial  time,  is  not  in  NP.  WIUARG  are  known  based 
on  the  existence  of  CRH  and  those  protocols  are  constant-round  public-coin;  as  a  result,  the  whole 
protocol  is  constant-round  and  public-coin. 

Finally,  Barak  et  al.  [BGGL01]  show  that  any  constant-round  public-coin  zero-knowledge  argu¬ 
ment  of  knowledge  can  be  transformed  into  a  resettable-sound  zero-knowledge  argument,  by  simply 
having  the  verifier  generate  its  (random)  message  by  applying  a  pseudorandom  function  to  the 
current  partial  transcript.3 

Why  hash  functions  are  needed  Note  that  hash  functions  are  needed  in  two  locations  in  Barak’s 
protocol.  First,  since  there  is  no  a-priori  polynomial  upper-bound  of  the  length  of  the  code  of  V*,  we 
require  the  simulator  to  commit  to  the  hash  of  the  code  of  V*  .  Secondly,  since  there  is  no  a-priori 
polynomial  upper-bound  on  the  running-time  of  V*,  we  require  the  use  of  universal  arguments  (and 
such  constructions  are  only  known  based  on  the  existence  of  collision-resistant  hash  functions). 

Using  signature  schemes  instead  of  CRHs  Our  main  idea  is  noticing  that  digital  signature 
schemes — which  can  be  constructed  based  on  one-way  functions — share  many  of  the  desirable 
properties  of  CRHs.  In  particular,  we  will  show  how  to  appropriately  instantiate  (a  variant  of) 
Barak’s  protocol  using  signature  schemes  instead  of  using  CRHs.  Recall  that  “fixed-length”  sig¬ 
nature  schemes,  that  allow  signing  messages  of  arbitrary  polynomial-length  (e.g  length  2 n)  using 
a  length  n  signature,  are  known  based  on  just  one-way  functions  [Rom90].  In  fact,  based  on  the 
same  assumption,  strong  fixed-length  signature  schemes  are  known:  in  a  strong  signature  scheme  no 
polynomial  time  attacker  can  obtain  a  new  signature  even  for  messages  that  it  has  seen  a  signature 
on  [GolOl].  We  observe  that  such  signature  scheme  share  a  lot  of  properties  with  CRHs.  First  of 
all,  they  are  compressing.  More  importantly,  we  observe  that  by  the  unforgeability  requirement  of 
strong  signatures,  no  attacker  can  find  a  single  valid  signature  a  for  two  distinct  messages  m,  ml — 
that  is,  signatures  satisfy  a  collision-resistance  property.  Additionally,  by  using  an  appropriate 
analog  of  tree  hashing,  a  signature  tree  could  be  used  to  compress  arbitrary  length  messages  into  a 
signature  of  length  n. 

So,  can  we  just  replace  the  CRHs  in  Barak’s  protocol  with  strong,  fixed-length,  signature 
schemes?  The  problem  with  naively  implementing  this  idea  is  that  the  collision-resistance  property 
of  strong  signature  schemes  only  holds  against  an  attacker  that  does  not  know  the  secret  key.  On 
the  other  hand,  to  generate  signatures,  knowledge  of  the  secret  key  is  needed.  In  our  application, 
the  simulator — acting  as  a  prover — needs  to  be  able  to  generate  signature  (in  order  to  “hash  down” 
the  program,  and  in  the  universal  argument)  but  at  the  same  time,  we  need  to  ensure  collision- 
resistance  against  cheating  provers.  So  if  we  let  the  prover  generate  the  signature  keys,  simulation 

3  Strictly  speaking,  Barak’s  protocol  is  not  a  argument  of  knowledge,  but  rather  a  “weak”  argument  of  knowledge 
(see  [BG02,  BGGL01]  for  more  details),  but  the  transformation  of  [BGGL01]  applies  also  to  such  protocol. 
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is  easy,  but  soundness  no  longer  holds,  whereas  if  we  let  the  verifier  generate  the  signature  keys 
and  only  sends  the  verification  key  to  the  prover,  then  soundness  holds,  but  it  is  no  longer  clear 
how  to  perform  a  simulation.  We  resolve  this  issue  by  using  a  “hybrid  approach”:  we  let  the  verifier 
generate  the  signature  keys,  but  gives  the  prover  access  to  a  single  signing  query.  More  precisely, 
in  an  initial  stage  of  the  protocol,  the  verifier  generates  a  signature  key-pair  sk,  vk  and  send  only 
the  verification  key  vk  to  the  prover.  Next,  in  a  “signature  slot”,  the  prover  sends  a  message  m  to 
the  verifier,  and  the  verifier  computes  and  returns  a  valid  signature  a  of  m  (using  sk).  (We  note 
that  such  a  signature  slot  previously  used  by  [LP11]  in  a  quite  different  context,  but  as  we  shall  see 
shortly,  some  of  their  techniques  will  be  useful  also  to  us.)  Finally,  the  protocol  proceeds  essentially 
as  in  Barak’s  protocol,  but  where  the  CRH  is  replaced  using  the  signature  scheme.  Implementing 
this  is  somewhat  subtle:  First,  the  statement  proved  in  the  WIUARG  in  Barak’s  protocol  considers 
the  hash  function  h  (e.g.,  prover  needs  to  prove  statements  of  the  type  h(rn)  =  q ).  In  our  approach 
since  “hashing”  has  been  replaced  by  “signing”,  this  would  require  the  honest  prover  to  prove  things 
related  to  the  secret-key  (e.g.,  Signsk(m)  =  q ),  but  the  honest  prover  does  not  know  sk.  This  issue  is 
easily  resolved  by  instead  of  letting  the  prover  show  that  signatures  used  (as  “hashes”)  verify — i.e. , 
that  Vervk(m)  =  q.  Another  issue  is  that  in  Barak’s  protocol,  the  honest  prover  actually  needs  to 
perfom  hashes  to  complete  the  WIUARG.  We  resolve  this  second  issue  by  relying  on  an  instantiation 
of  Barak’s  protocol  due  to  Pass  and  Rosen  [PR05],  which  relies  on  a  special-purpose  WIUARG,  in 
which  the  honest  prover  never  needs  to  perform  any  hashing.4  Now  completeness  of  this  protocol 
follows  in  exactly  the  same  way  as  in  [BarOl,  PR05]. 

For  soundness,  note  that  since  the  prover  does  not  get  to  see  sk,  soundness  follows  in  a  similar 
way  to  Barak’s  protocol.  In  fact,  if  the  signature  scheme  used  satisfies  strong  unforgeability,  then 
the  signature  trees  are  collision-resistant  with  respect  to  attackers  that  get  vk  and  have  access  to 
a  signing  oracle,  and  collision-resistance  of  the  signature  tree  is  the  only  property  needed  to  prove 
soundness  as  in  Barak’s  protocol.  (Note  that  we  here  only  require  collision-resistance  with  respect 
to  attackers  that  get  a  single  query  to  a  signing  oracle,  but  the  more  general  result  will  be  useful 
when  we  consider  resettable-soundness.) 

Let  us  turn  to  zero-knowledge.  At  first  sight,  it  seems  that  we  still  have  an  issue.  The  prover  just 
gets  a  single  signature,  but  to  complete  the  simulation,  the  simulator  needs  an  a-priori  unbounded 
polynomial  number  of  signatures  (to  e.g.,  “hash  down”  a  program  of  a-priori  unbounded  polynomial- 
size.5)  Note,  however,  that  the  simulator  can  always  rewind  the  verifier  to  get  as  many  signatures  as 
it  wants  and  can  thus  complete  the  simulation  in  a  similar  way  to  the  one  used  in  Barak’s  protocol. 
This  approach  doesn’t  quite  work:  the  malicious  verifier  V*  may  not  always  agree  to  sign  every 
message  requested  by  the  simulator;  we  deal  with  this  issue  in  the  same  way  as  in  [LP11],  rather 
than  having  the  simulator  send  the  messages  it  wants  to  be  signed  in  the  clear,  it  simply  sends  a 
commitment  to  them.  To  make  use  of  such  a  simulator  strategy,  we  appropriately  modify  the  notion 
of  a  signature  tree  to  consist  of  signatures  of  commitments  to  signatures  etc. 

So,  we  now  have  a  zero-knowledge  protocol  that  is  based  on  one-way  functions  (and  is  constant- 
round).  But  it  is  no  longer  public-coin! 

Nonetheless,  let  us  still  apply  the  PRF  transformation  of  [BGGL01]  to  the  protocol  (i.e.,  we 
have  the  verifier  generate  its  random  coins  in  each  round  by  applying  a  PRF  to  the  current  partial 
transcript).  Clearly,  the  protocol  is  still  zero-knowledge  (since  we  only  modified  the  verifier  strategy). 
As  it  turns  out,  the  resulting  protocol  is  actually  also  resettably-sound:  note  that,  except  for  the 

4In  fact,  an  early  version  of  Barak’s  protocol  also  had  this  property. 

'Also  in  the  implementation  of  the  WIUARG,  an  a-priori  unbounded  number  of  “hashes”  are  needed. 
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signature  slot  added  in  the  beginning  of  the  protocol,  the  protocol  still  is  public-coin,  and  the  same 
argument  as  in  [GK96,  BGGL01]  can  be  used  to  show  that  in  the  public-coin  part  of  the  protocol, 
rewindings  do  not  “help”  a  resetting  cheating  prover.  So,  in  essence,  the  only  “advantages”  a  resetting 
prover  gets  is  that  it  may  rewind  the  signature  slot,  and  thus  get  an  arbitrary  polynomial  number  of 
signatures  on  messages  of  its  choice.  But,  as  noted  above,  signature  trees  are  collision- resistant  even 
with  respect  to  an  attacker  that  gets  an  arbitrary  polynomial  number  of  queries  to  a  signing  oracle 
and  thus  resettable-soundness  follows  in  exactly  the  same  way  as  the  (non-resetting)  soundness 
property. 

Beyond  resettably-sound  zero-knowledge  For  the  applications  of  a)  a  constant-round  re- 
settably  witness-indistinguishable  argument  of  knowledge,  and  b)  0(logn)-round  resettable-zero- 
knowledge  argument  of  knowledge  for  NP,  we  simply  plug  in  our  resettably-sound  zero-knowledge 
argument  of  knowledge  into  the  protocols  of  [CGGMOO,  BGGL01]  with  some  minor  modifications. 

To  achieve  simulateously  resettable  zero-knowledge,  we  instead  instantiate  the  protocol  of  Deng, 
Goyal  and  Sahai  [DGS09]  with  signature  trees,  in  exactly  the  same  way  as  Barak’s  protocol. 
Resettable-soundness  follows  exactly  as  in  [DGS09],  relying  on  the  collision-resistance  property 
of  signature  trees.  Resettable-zero-knowledge  is  more  tricky  though:  [DGS09]  provides  an  intri¬ 
cate  simulation  strategy  that  combines  black-box  simulation,  using  rewinding,  and  non-black-box 
simulation  (as  in  [BarOl]).  Roughly  speaking,  the  protocol  consists  of  polynomially  many  “rewind¬ 
ing  slots”  (say  2 n2),  and  for  each  session  started  by  the  resetting  verifier,  the  simulator  of  [DGS09] 
rewinds  a  polynomial  fraction  (say  2 n)  of  them  twice.  Their  argument  shows  that  for  each  such  slot, 
the  rewinding  “succeeds”  with  probability  close  to  1/2  and  the  slot  gets  “solved”;  as  a  consequence, 
except  with  negligible  probability,  for  each  session,  there  exists  some  slot  that  is  “solved”  and  this 
suffices  for  simulating  the  session.  In  our  instantiation  of  their  protocol,  rewinding  a  slot  just  once 
does  not  suffice  to  “solve”  the  session  (and  complete  the  simulation  of  that  session).  Rather  we 
need  polynomially  many,  say  g(n)  =  poly(|R*|)  where  |V*|  is  the  size  of  the  verifier  (including  its 
auxiliary  input),  successful  rewindings  (in  order  to  rewind  the  signature  slot  sufficiently  many  times 
to  provide  the  signature  trees).  We  deal  with  this  issue  in  a  straight-forward  way:  we  use  exactly 
the  same  rewinding  strategy  as  in  [DGS09]  but  instead  rewind  each  slot  (that  was  being  rewound 
once  in  [DGS09])  3 g(n)  times.  It  follows  using  a  slight  generalization  of  the  argument  in  [DGS09] 
that  each  slot  that  is  rewound  is  successfully  solved  with  probability  close  to  1/2,  and  the  rest  of 
the  simulation  argument  continues  in  identically  the  same  way  as  [DGS09].  Additionally,  rewinding 
polynomially  many  times  (as  opposed  to  twice)  only  increases  the  running-time  by  a  polynomial 
factor  (the  technical  reason  for  this  is  that  the  [DGS09]  simulator  only  performs  a  constant-number 
of  recursive  rewindings). 

A  PCP-free  construction  Just  as  the  construction  of  Barak’s  protocol,  our  constructions  rely  on 
universal  arguments,  which  in  turn  rely  on  Probabilistically  Checkable  Proofs  (PCPs).  Intriguingly, 
the  approach  of  Bitansky  and  Paneth  [BP12]  does  not  rely  on  PCPs;  on  the  other  hand,  it  relies 
on  some  other  quite  heavy  machinery:  “unobfuscatable  functions”  [BGI+12]  and  general  secure 
two-party  computation  [GMW91]. 

As  we  now  sketch,  our  approach  can  be  instantiated  without  the  use  of  PCPs,  and  without 
introducing  any  other  machinery.  (Indeed,  although  we  have  not  verified  the  details,  it  would  seem 
that  a  practical  implementation  of  our  protocol  can  be  given  by  relying  on  efficient  signatures  and 
zero-knowledge  proofs  of  committed  signatures,  as  in  e.g.,  [CL01].)  Recall  that  in  Barak’s  protocol 
the  universal  argument  is  used  to  prove  a  statement  of  the  form  c  is  a  commitment  to  a  hash  of 
a  program  M  such  that  M(c)  =  r.  Also  recall  that  (in  the  [PR05]  variant  of  [BarOl])  the  honest 
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prover  never  needs  to  engage  in  the  universal  argument,  it  is  only  the  simulator  that  needs  to 
prove  the  above  statement.  Rather  than  providing  a  universal  argument,  we  let  the  simulator  prove 
this  statement  piecemeal,  step-by-step,  using  a  strategy  that  is  very  similar  to  one  employed  in 
the  “impossibility  of  instantiating  random  oracles”  result  of  [CGH04],  (On  a  high-level,  this  type 
of  piecemeal  decomposition  is  also  somewhat  similar  to  what  is  done  in  the  impossibility  result  of 
[BGI+12];  as  such  our  approach  brings  out  the  connection  between  the  techniques  from  [BarOl] 
and  [BP12] . )  More  precisely,  in  the  actual  protocol,  the  verifier  generates  a  key-pair  vk7,sk7  for 
a  signature  scheme  and  sends  vk7  to  the  prover.  The  prover  then  provides  the  verifier  with  a 
commitment  c\  to  a  signature-tree  of  a  start- configuration,  a  commitment  02  to  a  signature-tree  of  a 
current- configuration,  a  commitment  C3  to  a  signature-tree  of  a  next- configuration,  a  commitment  C4, 
and  a  witness  indistinguishable  argument  of  knowledge  that  either  a)  x  G  L  or  b)  start-configuration 
—  next- configuration  or  c)  C4  is  a  commitment  to  a  signature  (using  sk7)  of  ci,C2  and  if  performing 
one  step  of  computation  given  current- configuration  leads  to  next- configuration.  (Note  that  since 
we  use  signature-trees,  verification  of  condition  b)  and  c)  can  both  be  done  in  time  polylogarithmic 
in  the  length  of  the  configurations).  If  the  argument  of  knowledge  is  accepting,  the  verifier  signs 
Ci ,  C3.  Roughly  speaking,  the  above  “slot”  makes  it  possible  for  the  simulator  to  get  a  signature 
on  (commitments  to  signature-trees)  (so,so)  where  s0  is  the  initial  configuration  of  M(a)  (using 
condition  b),  and  next  by  rewinding  the  verifier  sufficiently  many  times  to  get  signatures  on  later 
configurations  (sq,  St)  in  the  computation  of  M(a)  (using  condition  c).  Thus,  finally,  the  simulator 
can  get  a  signature  on  (sq,  st)  where  st  is  the  terminating  configuration  of  the  computation  of 
M[a).  The  simulator  can  then  use  this  signature  to  convince  the  verifier  that  M(c)  =  r  where  M  is 
the  program  committed  to  in  c.  To  formally  prove  soundness,  we  actually  need  to  slightly  modify 
the  definition  of  a  signing  slot  (as  in  [LP11])  to  additionally  require  the  prover  to  first  proves  (using 
a  witness  indistinguishable  argument  of  knowledge)  that  the  message  m  it  request  a  signature  of 
is  a  valid  commitment  to  a  value  that  it  know,  or  that  x  G  L;  as  in  [LP11],  the  reason  we  require 
this  additional  argument  of  knowledge  is  to  ensure  that  if  an  attacker  is  able  to  come  up  with  root 
of  a  signature-tree,  then  we  can  extract  out  the  whole  tree  it  has  “committed”  to.  A  complete 
formalization  of  this  approach  will  appear  in  the  final  version  of  this  paper. 

1.3  Subsequent  Work 

A  very  recent  elegant  work  by  Bitansky  and  Paneth  [?]  (developed  subsequently  to  our  results)  shows 
an  alternative  approach  for  obtaining  resettably-sound  arguments  (and  related  primitives)  from  one¬ 
way  functions,  by  first  constructing  functions  that  not  even  are  “approximately”  unobfuscatable,  and 
relying  on  the  connection  between  resettable-soundness  and  unobfuscatable  functions  from  [BP  12] . 

1.4  Outline 

In  Section  3  we  provide  formal  definitions  of  signature  trees,  and  provide  collision-resistance  prop¬ 
erties  of  such  trees.  To  formalize  our  construction  of  resettably-sound  zero-knowledge  in  a  modular 
way,  in  Section  4,  we  first  consider  an  “oracle- aided”  model,  in  which  players  have  access  to  a  signing 
oracle.  We  first  show  that  the  universal  argument  construction  of  Barak  and  Goldreich  [BG02]  can 
be  instantiated  using  one-way  functions  in  such  an  oracle-aided  model,  by  replacing  “hashing”  with 
“signing”.  We  next  show  how  to  instantiate  Pass  and  Rosen’s  [PR05]  variant  of  Barak  protocol  in 
the  same  way  (by  relying  on  the  oracle-aided  construction  of  universal  arguments).  This  leads  to 
a  constant-round  oracle-aided  public-coin  zero-knowledge  argument  of  knowledge,  satifying  a  key 
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property:  the  honest  prover  never  needs  to  access  the  oracle.  We  may  next  apply  the  transformation 
of  [BGGL01]  to  this  protocol  to  obtain  an  oracle-aided  resettably-sound  zero-knowledge  argument 
of  knowledge  satisfying  the  same  key  property  (the  results  of  [BGGL01]  relativize  and  thus  we  can 
directly  apply  them  also  to  oracle-aided  protocols). 

In  Section  5,  we  present  a  general  transformation,  transforming  any  oracle-aided  resettably- 
sound  zero-knowledge  argument  (of  knowledge)  satisyfing  the  above  key  property,  into  a  resettably- 
sound  zero-knowledge  argument  (of  knowledge)  in  the  “plain”  model  (i.e.  without  any  oracle):  the 
transformation  simply  consists  of  adding  a  signature  slot  at  the  beginning  of  the  protocol.  Taken 
together  with  our  result  in  Section  4,  this  yields  a  constant-round  resettably-sound  zero-knowledge 
argument  of  knowledge  for  NP  based  on  one-way  functions. 

In  Section  6,  applications  (such  as  simultanously  resettable  zero-knowledge)  are  presented. 


2  Preliminaries 

We  assume  familiarity  with  interactive  arguments,  arguments  of  knowledge  and  witness  indistin- 
guishability;  see  the  Appendix  A  for  more  details. 

2.1  Notations 

Let  N  denote  the  set  of  positive  integers,  and  [n]  denote  the  set  {1,  2, . . . ,  n}.  Given  a  string  x,  we 
let  xt  denote  the  ?'-th  bit  of  x,  and  x<,;  denote  the  prefix  of  x  upto  and  including  its  zth  bit.  By  a 
probabilistic  algorithm  we  mean  a  Turing  machine  that  receives  an  auxiliary  random  tape  as  input. 
If  M  is  a  probabilistic  algorithm,  then  for  any  input  x,  the  notation  “Mr(x)”  denotes  the  output 
of  the  M  on  input  x  when  M's  random  tape  is  fixed  to  r,  while  M{x)  represents  the  distribution 
of  outputs  of  Mr(x)  when  r  is  chosen  uniformly.  An  oracle  algorithm  is  a  machine  that  gets  oracle 
access  to  another  machine.  Given  a  probabilistic  oracle  algorithm  M  and  a  probabilistic  algorithm 
A,  we  let  Ma( x)  denote  the  probability  distribution  over  the  outputs  of  the  oracle  algorithm  M  on 
input  x,  when  given  oracle  access  to  A. 

By  x  •(—  S,  we  denote  an  element  x  is  sampled  from  a  distribution  S.  If  F  is  a  finite  set, 
then  x  F  means  x  is  sampled  uniformly  from  the  set  F  .  To  denote  the  ordered  sequence  in 
which  the  experiments  happen  we  use  semicolon,  e.g.  (x  S ;  (y,z)  <—  A(x)).  Using  this  notation 
we  can  describe  probability  of  events.  For  example,  if  p(-,  •)  denotes  a  predicate,  then  Pr[x  <— 
S ;  (y,  z )  <—  A{x)  :  p(y,  z)\  is  the  probability  that  the  predicate  p(y,  z )  is  true  in  the  ordered  sequence 
of  experiments  (x  <—  S;(y,z )  •(—  A(x)).  The  notation  {(x  <—  S\(y,z )  <—  A(x)  :  ( y,z ))}  denotes 
the  resulting  probability  distribution  {(y,z)}  generated  by  the  ordered  sequence  of  experiments 
(x  «-  5;  (y,z)  <-  A(x)). 

2.2  Zero  Knowledge 

We  start  by  recalling  the  definition  of  zero  knowledge  from  [GMR89]. 

Definition  1  (Zero-knowledge  [GMR89]).  An  interactive  protocol  (P,V)  for  language  L  is  zero- 
knowledge  if  for  every  PPT  adversarial  verifier  V* ,  there  exists  a  PPT  simulator  S  such  that  the 
following  ensembles  are  computationally  indistinguishable  over  x  €  L: 


{View*  (P,V*(z))(x)} 

xeL,ze{ o,i}*  ~  {S(x,z)}  0,1} 


2.3  Resettably  Sound  Zero  Knowledge 

Let  us  recall  the  definition  of  resettable  soundness  due  to  [BGGLOlj. 

Definition  2  (Resettably-sound  Arguments  [BGGL01]).  A  resetting  attack  of  a  cheating  prover  P* 
on  a  resettable  verifier  V  is  defined  by  the  following  two-step  random  process,  indexed  by  a  security 
parameter  n. 

1.  Uniformly  select  and  fix  t  =  poly(n)  random-tapes,  denoted  r\,...,rt,  for  V,  resulting  in 
deterministic  strategies  V^\x)  =  VXtTj  defined  by  VXjrj(a)  =  V(x,rj,a),6  where  x  £  {0,  l}n 
and  j  £  [f] .  Each  (x)  is  called  an  incarnation  of  V  . 

2.  On  input  ln,  machine  P*  is  allowed  to  initiate  poly (n) -many  interactions  with  the  V^\x)’s. 
The  activity  of  P*  proceeds  in  rounds.  In  each  round  P*  chooses  x  £  {0,  l}n  and  j  £  [f],  thus 
defining  V^\x),  and  conducts  a  complete  session  with  it. 

Let  ( P ,  V)  be  an  interactive  argument  for  a  language  L.  We  say  that  (P,  V )  is  a  resettably-sound 
argument  for  L  if  the  following  condition  holds: 

•  Resettable-soundness:  For  every  polynomial-size  resetting  attack,  the  probability  that  in  some 
session  the  corresponding  ( x )  has  accepted  and  x  f  L  is  negligible. 

We  will  also  consider  a  slight  weakening  of  the  notion  of  resettable  soundness,  where  the  state¬ 
ment  to  be  proven  is  fixed,  and  the  verifier  uses  a  single  random  tape  (that  is,  the  prover  cannot 
start  many  independent  instances  of  the  verifier). 

Definition  3  (Fixed-input  Resettably-sound  Arguments  [PTW09]).  An  interactive  argument  (P,  V ) 
for  a  NP  language  L  with  witness  relation  Rl  is  fixed-input  resettably-sound  if  it  satisfies  the  fol¬ 
lowing  property:  For  all  non-uniform  polynomial-time  adversarial  prover  P* ,  there  exists  a  negligible 
function  //(•)  such  that  for  every  all  x  (j  L, 

Pr [R  <-  {0, 1}°°;  (P*^(*-pp),  Vr)(x)  =  1]  <  y(\x\) 

As  the  following  claim  shows,  any  zero-knowledge  argument  of  knowledge  satisfying  the  weaker 
notion  can  be  transformed  into  one  that  satisfies  the  stronger  one,  while  preserving  zero-knowledge 
(or  any  other  secrecy  property  against  malicious  verifiers. 

Claim  2.  Let  (P.V)  be  a  fixed-input  resettably  sound  zero-knowledge  (resp.  witness  indistinguish¬ 
able)  argument  of  knowledge  for  a  language  L  £  NP  .  Then  there  exists  a  protocol  (Pr ,  V')  that  is  a 
(full-fledged)  resettably-sound  zero-knowledge  (resp.  witness  indistinguishable)  argument  of  knowl¬ 
edge  for  L. 

Proof.  (Sketch):  We  rely  on  the  PRF  transformation  used  in  [BGGL01],  but  since  we  are  dealing 
with  private-coin  protocols,  we  simply  apply  it  to  the  random  tape  of  the  verifier.  More  precisely, 
the  new  verifier  V'  now  chooses  its  random  coins  by  applying  a  PRF  to  the  statement  x,  and  then 
continues  its  execution  by  simulating  V  using  these  random  coins.  (The  honest  prover  remains  un¬ 
changed).  It  follows  using  identically  the  same  proof  as  in  [BGGL01]  that  the  new  protocol  satisfies 
the  require  properties  (note  that  the  argument  of  knowledge  property  is  necessary  in  this  argument). 
Since  we  have  only  modified  the  verifier  strategy,  zero-knowledge  (or  witness  indistinguishability) 
still  holds.  □ 

(,Here,  V(x,r,a)  denotes  the  message  sent  by  the  strategy  V  on  common  input  x ,  random-tape  r,  after  seeing  the 
message-sequence  a. 
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3  Signature  Trees 


In  this  section,  we  define  an  analogue  of  Merkle-hash  trees  using  signature  schemes.  Towards  this,  we 
will  rely  on  the  existence  of  strong,  fixed-length,  deterministic  secure  signature  schemes.  Recall  that 
in  a  strong  signature  scheme,  no  polynomial-time  attacker  having  oracle  access  to  a  signing  oracle 
can  produce  a  valid  message-signature  pair,  unless  it  has  received  this  pair  from  the  signing  oracle. 
The  signature  scheme  being  fixed-length  means  that  signatures  of  arbitrary  (polynomial-length) 
messages  are  of  some  fixed  polynomial  length.  Deterministic  signatures  don’t  use  any  randomness 
in  the  signing  process  once  the  signing  key  has  been  chosen.  In  particular,  once  a  signing  key  has 
been  chosen,  a  message  m  will  always  be  signed  the  same  way. 

Definition  4  (Strong  Signatures).  A  strong,  length-^,  signature  scheme  SIG  is  a  triple  (Gen,  Sign,  Ver) 
of  PPT  algorithms,  such  that 

1.  for  all  n  G  N,  m  G  {0, 1}*, 

Pr[(sk,  vk)  Gen(ln),  a  Signsk(m);  Vervk(m,  a)  =  1  A  |cr|  =  t{n)\  =  1 

2.  for  every  non-uniform  PPT  adversary  A,  there  exists  a  negligible  function  /i(-)  such  that 

Pr[(sk,  vk)  •<—  Gen(ln),  (m,  a)  4Slgnsk^(ln);  Vervk(m,  a)  =  1  A  ( m ,  a)  ^  L\  <  p.{n), 

where  L  denotes  the  list  of  query- answer  pairs  of  A’s  queries  to  its  oracle. 

Strong,  length-i)  deterministic  signature  schemes  with  i(n)  =  n  are  known  based  on  the  existence 
of  OWFs;  see  [NY89,  Rom90,  GolOl]  for  further  details.  In  the  rest  of  this  paper,  whenever  we  refer 
to  signature  schemes,  we  always  means  strong,  length-n  signature  schemes. 

Let  us  first  note  that  signatures  satisfy  a  “collision-resistance”  property. 

Claim  3.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong  (length-n)  signature  scheme.  Then,  for  all  non- 
uniform  PPT  adversaries  A,  there  exists  a  negligible  function  p,{-)  such  that  for  every  n  €  N, 

Pr[(sk,  vk)  Gen(l”),  (mi,m2,cr)  ASlgnsk^(ln,  vk);  Vervk(mi,  cr)  =  Vervk(m2,cr)  =  1]  <  (i{n) 


Proof.  Assume  for  contradiction  that  there  exists  some  non-uniform  polynomial-time  A  such  that  A 
breaks  “collision-resistance”  property  of  SIG  with  probability  for  infinitely  many  n  G  N,  where 
p  is  a  polynomial.  We  show  that  A  can  be  used  to  break  the  strong  unforgeability  property  of 
SIG.  More  precisely,  note  that  if  A  outputs  a  valid  signatures  (mi,  cr),  (m2,  cr)  without  querying 
the  signing  oracle  with  mi  and  m2  and  receiving  cr  as  a  response  to  both  queries,  then  A  already 
breaks  the  security  of  the  signature  scheme.  Thus  w.l.o.g.  we  may  assume  A  queries  both  mi  and 
m2  to  the  signing  oracle  and  receives  a  as  a  response.  We  then  simulate  A,  recording  the  previous 
messages  queried  to  the  oracle  along  with  the  responses.  At  each  point  during  the  execution  of  A, 
before  forwarding  the  next  query  m  to  the  oracle,  we  test  if  any  of  the  previously  received  signatures 
are  valid  signatures  for  m.  If  so,  we  output  m  together  with  such  a  signature  a.  Notice  that  if  A 
always  queries  mi  and  m2  and  receives  a  as  a  response,  then  we  will  intercept  whichever  of  the  two 
A  queries  second.  Thus,  for  infinitely  many  n,  with  probability  >  we  forge  a  signature  a  for 
some  m  before  ever  querying  the  signing  oracle  and  receiving  cr  as  a  response.  □ 
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We  now  define  an  analog  of  Merkle-hash  tree  which  we  call  signature  trees  and  show  that  they 
also  satisify  a  collision-resistant  property.  We  index  each  node  of  a  complete  binary  tree  P  of  depth 
d  by  a  binary  string  of  length  at  most  d,  where  the  root  is  indexed  by  the  empty  string  A,  and  each 
node  indexed  by  7  has  left  and  right  children  indexed  7O  and  7I,  respectively. 

Definition  5  (Signature  Trees).  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n  signature  scheme. 
Let  (sk,vk)  be  a  key-pair  of  SIG,  and  s  be  a  string  of  length  2d.  A  signature  tree  of  the  string  s 
w.r.t.  (sk,vk)  is  a  complete  binary  tree  of  depth  d,  defined  as  follows. 

•  A  leaf  l-y  indexed  by  7  G  {0,  l}d  is  set  as  the  bit  at  position  7  in  s. 

•  An  internal  node  /7  indexed  by  7  £  (J^Tq{0,  1}*  satisfies  that  Verv|<((/7o,  lyi),ly)  =  1- 

Note  that  to  verify  whether  a  T  is  a  valid  signature-tree  of  a  string  s  w.r.t.  the  signature  scheme 
SIG  and  the  key-pair  (sk,  vk)  knowledge  of  the  secret  key  sk  is  not  needed.  However,  to  create  a 
signature-tree  for  a  string  s,  the  secret  key  sk  is  needed. 

The  following  notion  of  a  signature  path  is  the  natural  analog  of  an  authentication  path  in  a 
Merkl  e-tree. 

Definition  6  (Signature  Path).  A  signature  path  w.r.t.  SIG,  vk  and  a  root  l\  for  a  bit  b  at 
leaf  7  E  {0,  \}d  is  a  vector  p  =  ((/0,  h),  ((^o ,i7<ii),  ■  ■  ■  (l'y<d-1o,lj<d-1i))  such  that  for  every 
i  E  {0, . . .  ,d  —  1},  Vervk((/7<i0,i7<ii),Z7<i)  =  1.  Let  PATHSIG(p,  6,  7,  ZA,  vk)  =  1  if  p  is  a  signature 
path  w.r.t.  SIG,  vk,  l\  for  b  at  7. 

The  following  claim  states  that  signature  trees  also  satisfy  an  appropriate  collision-resistance 
property:  no  non-uniform  PPT  attacker  having  oracle  access  to  a  signing  oracle  can  output  a  root 
and  valid  signature  paths  for  both  0  and  1  at  some  leaf  7. 

Claim  4.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n,  signatiLre  scheme.  Then,  for  every 
non-uniform  PPT  adversary  A,  there  exists  a  negligible  function  /i  such  that  for  every  n  £  N, 

Pr[(sk,  vk)  <-  Gen(ln),  (p0,p i,7,Za)  <-  ASi^\ l",vk); 

Vb  G  {0, 1}  PATHSIG(p),,  b,  7,  l\,  vk)  =  1]  <  n(n) 

Proof.  The  claim  directly  follows  from  Claim  3  since  any  two  valid  signature-paths  with  the  same 
root  but  different  leaf  value  must  contain  a  collision  for  the  underlying  signature  scheme.  □ 

3.1  Sig-Com  Schemes 

For  the  technical  reason  explained  in  the  introduction,  we  will  rely  on  variant  of  signature  trees 
consisting  of  alternating  signatures  and  commitments.  To  formalize  this,  we  consider  the  notion  of 
a  “sig-com”  scheme: 

Definition  7  (Sig-Com  Schemes).  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n,  signatiLre 
scheme,  and  let  Com  be  a  non-interactive  commitment  schemes.  Define  SIG7  =  (Gen7,  Sign7,  Ver7)  to 
be  a  triple  of  PPT  machines  defined  as  follows: 

•  Gen7  =  Gen. 
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•  Sign(k(m)  :  compute  a  commitment  c  =  Com (m;r)  using  a  uniformly  selected  t,  and  let 
a  =  Signsk(c);  output  (a ,  r) 

•  Vei"yk (m,  cr,  t)  :  Output  1  i/f  Vervk(Com(m,  r),  a)  =  1. 

We  caW  SIG7  the  Sig-Com  Scheme  corresponding  to  SIG  and  Com. 

Note  that  the  above  definition  of  a  sig-com  scheme  assumes  that  Com  is  a  non-interactive 
commitment  scheme.  This  is  only  for  convenience  of  notation;  the  above  definition,  as  well  as 
all  subsequent  results  directly  apply  also  to  2-round  commitment  (i.e. ,  families  of  non-interactive 
commitment  schemes,  as  in  [Nao91]),  by  simply  adding  the  first  message  to  the  verification  key  of 
the  sig-com  scheme. 

Sig-com  schemes  also  satisfy  a  collision-resistant  property: 

Claim  5  (Collision  Resistance  of  Sig-Coms).  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n  sig¬ 
nature  scheme,  Com  be  non-interactive  commitment  scheme,  and  let  SIG7  =  (Gen7,  Sign7,  Ver7)  be  the 
sig-com  scheme  corresponding  to  SIG  and  Com.  Then,  for  any  non-uniform  PPT  adversary  A,  there 
exists  a  negligible  function  p  such  that  for  all  n  £  N: 

Pr[(sk,  vk)  Gen(ln),  (cr,  mi,  m2,  ri,  T2)  •*— ylSlgnsk(^(ln,  vk); 
mi  /  m2,  Ver(,k(mi,cr,  n)  =  Ver(,k(m2,  cr,  r2)  =  1]  <  p{n) 

Proof.  Note  that  by  the  binding  property  of  Com,  no  non-uniform  PPT  can  output  a  valid  com¬ 
mitment  c  to  two  different  messages  mi  7^  m2  except  with  negligible  probability.  Thus,  except 
with  negligible  probability,  a  successful  non-uniform  PPT  attacker  must  output  a  signature  for  two 
different  commitments  ci  7^  C2,  violating  collision-resistance  of  SIG  (i.e.,  Claim  3).  □ 

Note  that  in  Claim  5,  the  attacker  gets  oracle  access  to  a  signature  oracle  (for  SIG)  as  opposed 
to  a  sig-com  oracle.  We  may  now  define  sig-com  trees  and  sig-com  paths  in  an  analogous  way  to 
(plain)  signature  trees  and  paths. 

Definition  8  (Sig-Com  Trees).  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n  signature  scheme, 
let  Com  be  a  non-interactive  commitment  and  let  SIG7  =  (Gen7,  Sign7,  Ver7)  be  the  sig-com  scheme 
corresponding  to  SIG  and  Com.  Let  (sk,  vk)  be  a  key-pair  of  SIG7,  and  s  be  a  string  of  length  2d.  A 
signature  tree  of  the  string  s  w.r.t.  (sk,  vk)  is  a  complete  binary  tree  of  depth  d,  defined  as  follows. 

•  A  leaf  Iry  indexed  by  7  £  {0,  l}rf  is  set  as  the  bit  at  position  7  in  s. 

•  An  internal  node  1 7  indexed  by  7  G  (jf=o  {0;  1}*  satisfies  that  there  exists  some  r7  such  that 

^ervk((^70>  ^71  )>  l-fiT'y )  =  1. 

Definition  9  (Sig-Com  Path).  Let  SIG7  =  (Gen7,  Sign7,  Ver7)  be  a  sig-com  scheme.  A  sig-com  path 
w.r.t.  SIG7,  vk  and  a  root  l\  for  a  bit  b  at  leaf  7  €  {0,  l}d  is  a  vector  p  =  ({l 0,  l\,  77),  ((Z7<1 0,  /7<1i,  t7<1), 
•  •  • ,  (^7<d— i0^7<d— lO^d-i)  such  that  for  every  i  G  {0, . . . ,  d  -  1},  Ver/vk((Z7<i0,  Z^i),  Z7<i;  r7<J)  = 
1.  Let  PATHsig  (/9,  b,  7,  l\,  vk)  =  1  if  p  is  a  signature  path  w.r.t.  SIG7,  vk,  l\  for  b  at  7. 

Sig-com  trees  also  satisfy  a  collision-resistance  property: 
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Claim  6.  Let  SIG  =  (Gen,  Sign,  Ver)  be  a  strong,  length-n  signature  scheme,  let  Com  be  a  non¬ 
interactive  commitment  and  let  SIG7  =  (Gen7,  Sign7,  Ver7)  be  the  sig-com  scheme  corresponding  to  SIG 
and  Com.  Then,  for  every  non-uniform  PPT  adversary  A,  there  exists  a  negligible  function  /j  such 
that  for  every  n  G  N, 

Pr[(sk,  vk)  -e-  Gen(ln),(p0,pi,7,/A)  y4Slgrisk(')(ln,  vk); 

V6  G  {0,1}  PATHsig'  (pb,  b,  7,/A,vk)  =  1]  <  p{n) 

Proof.  As  in  Claim  4,  the  claim  follows  directly  from  Claim  5  since  any  two  valid  sig-com  paths 
with  the  same  root  but  different  leaf  values  must  contain  a  collision  for  the  underlying  sig-com 
scheme.  □ 

Canonical  Sig-com  Schemes  Throughout  the  rest  of  the  paper,  we  consider  sig-com  schemes  SIG7 
and  sig-com  trees  corresponding  to  a  strong,  length-n  deterministic  signature  scheme  SIG  and  a  non¬ 
interactive  commitment  Com  that  generates  n2  bits  long  commitments  to  2 n  bits  strings.  Thus, 
each  node  of  the  sig-com  tree  is  an  n-bit  signature  of  an  n2  bits  commitment  of  the  two  signatures 
of  the  children  nodes.  Hereafter,  we  refer  to  such  a  SIG7  as  a  canonical  sig-com  scheme. 

4  Oracle-Aided  Resettably-sound  Zero  Knowledge  Protocols 

In  this  section  we  show  how  to  construct  a  resettably-sound  ZK  argument  in  an  oracle-aided  model 
where  prover  and  verifier  additionally  have  access  to  a  public  parameter  generated  prior  to  the 
interaction  (in  our  protocol,  this  will  be  the  verification  key  for  a  signature  scheme),  and,  further 
the  prover  has  access  to  an  oracle,  also  generated  prior  to  the  interaction  (in  our  protocol,  this  will 
be  a  signature/sig-com  oracle). 

More  formally,  let  O  be  a  probabilistic  algorithm  that  on  input  a  security  parameter  n,  outputs  a 
polynomial-length  (in  n)  public-parameter  pp,  as  well  as  the  description  of  an  oracle  O.  The  oracle- 
aided  execution  of  an  interactive  protocol  with  common  input  x  between  a  prover  P  with  auxiliary 
input  y  and  a  verifier  V  consist  of  first  generating  pp,  O  <—  0(1^)  and  then  letting  P°(x,  y,  pp) 
interact  with  V(x ,  pp). 

Definition  10  (Oracle-aided  Interactive  Arguments).  A  pair  of  oracle  algorithms  (P,V)  is  an  O- 
oracle  aided  argument  for  a  NP  language  L  with  witness  relation  Rl  if  it  satisfies  the  following 
properties: 

•  Completeness:  There  exists  a  negligible  function  //(•),  such  that  for  all  x  G  L,  if  w  G  Rl(x), 

Pr[pp,  O  <—  0(  l|x|);  (P°(w),  V)(x,  pp)  =  1]  =  1  -  MM) 

•  Soundness:  For  all  non-uniform  polynomial-time  adversarial  prover  P* ,  there  exists  a  negli¬ 
gible  function  //(•)  such  that  for  every  all  x  ^  L, 

Pr[pp,  O  <-  0(  1N);  (. P*° ,  V)(x,  pp)  =  1]  <  MM) 

Additionally,  if  the  following  condition  holds,  (P.  V)  is  an  O-oracle  aided  argument  of  knowl¬ 
edge: 
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•  Argument  of  knowledge:  There  exists  a  expected  PPT  algorithm  E  such  that  for  every  polynomial- 
size  P* ,  there  exists  a  negligble  function  y(-)  such  that  for  every  x, 

Pr[pp,  O  4—  0[\\%w  <-  Ep*°(x’W\x,pPy,w  £  Rl{x )] 

>  Pr[pp,  O  e>(lN);  (. P*° ,  V)(s,  pp)  =  1]  -  //(|x|) 

Definition  11  (Oracle-aided  Resettably-sound  Interactive  Arguments).  An  O -oracle  aided  resetting 
attack  of  a  cheating  prover  P*  on  a  resettable  verifier  V  is  defined  by  the  following  three-step  random 
process,  indexed  by  a  security  parameter  n. 

1.  An  initial  setup  where  a  public  parameter  and  an  oracle  are  generated:  pp,  O  £-  0(1”).  P*  is 
given  pp  and  oracle  access  to  O. 

2.  Uniformly  select  and  fix  t  =  poly(n )  random-tapes,  denoted  r\,...,rt,  for  V,  resulting  in 
deterministic  strategies  V^\x)  =  Vx.rjdefined  by  VXjrj(a)  =  V(x,rj,a),  where  x  £  {0,1}” 
and  j  £  [t] .  Each  (x)  is  called  an  incarnation  of  V  . 

3.  On  input  ln,  machine  P*  is  allowed  to  initiate  poly (n) -many  interactions  with  the  V^\x)’s. 
The  activity  of  P*  proceeds  in  rounds.  In  each  round  P*  chooses  x  £  {0, 1}”  and  j  £  [f],  thus 
defining  V^\x),  and  conducts  a  complete  session  with  it. 

Let  (P,V)  be  an  O-oracle  aided  interactive  argument  for  a  language  L.  We  say  that  (P,V)  is 
an  O-oracle  aided  resettably-sound  argument  for  L  if  the  following  condition  holds: 

•  O-oracle  aided  resettable  soundness:  For  every  polynomial-size  resetting  attack,  the  probability 
that  in  some  session  the  corresponding  V^\x)  has  accepted  and  x  ^  L  is  negligible. 

Towards  our  goal  of  constructing  of  oracle-aided  resettably-sound  zero-knowledge,  we  now  define 
and  construct  an  oracle- aided  version  of  universal  arguments. 

4.1  Oracle-aided  Universal  Arguments 

Universal  arguments  (introduced  in  [BG02]  and  closely  related  to  CS-proofs  [MicOO])  are  used  in 
order  to  provide  “efficient"  proofs  to  statements  of  the  form  y  =  ( M,x,t ),  where  y  is  considered 
to  be  a  true  statement  if  M  is  a  non-deterministic  machine  that  accepts  x  within  t  steps.  The 
corresponding  language  and  witness  relation  are  denoted  Lu  and  Rj/  respectively,  where  the  pair 
(( M,x,t),w )  is  in  if  M  (viewed  here  as  a  two-input  deterministic  machine)  accepts  the  pair 

(x,w)  within  t  steps.  Notice  that  every  language  in  NP  is  linear  time  reducible  to  Lu.  Thus,  a 
proof  system  for  Ly  allows  us  to  handle  all  NP-statements.  In  fact,  a  proof  system  for  Ly  enables 
us  to  handle  languages  that  are  beyond  NP,  as  the  language  Ly  is  NE-complete  (hence  the  name 
universal  arguments).7  We  here  provide  an  oracle-aided  variant  of  the  [BG02]  definition  of  universal 
arguments. 

Definition  12  (Oracle-aided  Universal  Argument).  An  oracle-aided  protocol  (P,V)  is  called  an 
O-oracle- aided  universal  argument  system  if  it  satisfies  the  following  properties: 

'Furthermore,  every  language  in  NEXP  is  polynomial-time  (but  not  linear-time)  reducible  to  Lu 
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•  Efficient  verification:  There  exists  a  polynomial  p  such  that  for  any  y  =  (M,  x,  t ),  and  for  any 
pp,  O  generated  by  O,  the  total  time  spent  by  the  (probabilistic)  verifier  strategy  V,  on  common 
input  y,  pp.  is  at  most  p(\y\  +  |pp|).  In  particular,  all  messages  exchanged  in  the  protocol  have 
length  smaller  than  p(\y\  +  |pp|). 

•  Completeness  with  a  relatively  efficient  oracle-aided  prover:  For  every  (y  =  (. M,x,t),w )  in 

Rw> 

Pr[pp,  O  <-  0( l|y|);  ( P°(w ),  V)(y,  pp)  =  1]  =  1. 

Furthermore,  there  exists  a  polynomial  q  such  that  the  total  time  spent  by  P°  (w) ,  on  common 
input  y  =  ( M,x,t ),  pp,  is  at  most  q(Tm(x,w)  +  |pp|)  <  q(t  +  |pp|),  where  Tm(x,w )  denotes 
the  running  time  of  M  on  input  (x,w). 

•  Weak  proof  of  knowledge  for  adaptively  chosen  statements:  For  every  polynomial  p  there  exists 
a  polynomial  p'  and  a  probabilistic  polynomial-time  oracle  machine  E  such  that  the  following 
holds:  for  every  non-uniform  polynomial-time  oracle  algorithm  P* ,  if 

Pr[pp,  O  <-  0( 1");  R  <-  {0, 1}°°;  y  <-  Pf(pp)  :  (Pjf  ( pp),  V(y,  pp))  =  1]  >  1  /p(n) 


then 


Pr[pp,0  <-  0(ln)]R,  r  <—  {0,  l}°°;y  Pr°(pp)  :  3w  =  wi,...wte  R u{y)  s.t. 


V/n 


P*o 

—I1  D  / 


where  R u(y)  =  {re  :  (y,w)  €  Rw}. 

Note  that  our  proof  of  knowledge  condition  is  somewhat  different  from  the  one  used  in  [BG02] 
in  that  we  allow  the  (cheating)  prover  to  adaptively  choose  the  statement  to  be  proved,  after  having 
seen  the  public  parameter,  and  having  interacted  with  its  oracle. 

Nevertheless,  as  we  shall  see,  the  construction  of  [BG02]  and  their  analysis  will  be  useful  to  us. 
Recall  that  in  the  construction  of  [BG02]  tree  hashing  is  used  to  hash  down  a  “long”  PCP  proof  into 
a  fixed-length  “tree  root”;  the  soundness  property  relies  on  collision  resistant  of  this  tree  hashing. 
Let  S I Gr  be  a  canonical  sig-com  scheme  with  SIG  =  (Gen,  Sign,  Ver)  and  Com  being  its  underlying 
signature  scheme  and  commitment  scheme.  We  observe  that  if  we  replace  the  use  of  tree  hashing  in 
[BG02]  scheme  with  a  sig-com  tree  using  SIG7,  then  the  resulting  protocol  is  an  0SIG-aided  universal 
argument  for  the  following  signature  oracle  (PSIG. 

Definition  13  (Signature  Oracle).  Given  a  signature  scheme  SIG  =  (Gen,  Sign,  Ver),  we  define  a 
signature  oracle  (PSIG  as  follows:  On  input  a  security  parameter  n,  OSIG(ln)  generates  (vk,  sk)  «— 
Gen(ln)  and  lets  pp  =  vk  and  0(m )  =  Signsk(m)  for  every  m  G  {0,  i}poly("*. 

In  fact,  the  universal  argument  has  an  even  stronger  completeness  property  that  will  be  useful 
for  us:  completeness  hold  even  if  the  prover  only  gets  access  to  a  sig-com  oracle  (instead  of  a 
signature  oracle),  and  even  if  this  is  an  arbitrary  (not  necessarily  using  the  honest  sign  and  commit 
algorithms)  sig-com  oracle,  as  long  as  the  oracle  outputs  valid  sig-com’s  (for  messages  of  a  certain 
fixed  length)  with  overwhelming  probability.  More  formally, 
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Definition  14  (Valid  Sig-com  Oracle).  An  oracle  O'  is  a  valid  (SIG7,A)  oracle  if  there  is  a  negligible 
//(•)  such  that  for  every  n  €  N,  the  following  holds  with  probability  1  —  n(n)  over  pp,  O  O' ( ln): 
for  every  m  £  {0,  l}^n\  0(m )  returns  ( <j,t )  such  that  Ver(,k(m,  a,  r)  =  1  with  probability  at  least 
1  -  /z(n). 

We  note  that  oracles  that  use  arbitrarily  biased  randomness  for  commitments  are  also  considered 
valid  sig-com  oracles.  (These  are  precisely  the  kind  of  oracles  we  will  be  forced  to  use  later  on). 

Definition  15.  An  0SIG -aided  universal  argument  (P,  V)  has  (SIG ',£)- completeness  if  there  exists 
a  prover  P'  such  that  the  completeness  condition  holds  for  (P',V)  when  the  oracle  0SIG  is  replaced 
by  any  valid  (SIG/, £)  oracle  O'. 

We  now  have  the  following  theorem. 

Theorem  7.  Let  SIG7  be  a  canonical  sig-com  scheme  with  SIG  and  Com  being  its  underlying  signa¬ 
ture  scheme  and  commitment  scheme.  Then  there  exists  a  (SIG',  i)  -complete  0^G-aided  universal 
argument  with  £(n)  =  2 n. 

The  proof  of  the  theorem  identically  follows  that  of  Barak  and  Goldreich  [BG02],  with  a  minor 
modification  to  deal  with  adaptively  chosen  statements  when  proving  the  weak  argument  of  knowl¬ 
edge  property.  For  completeness,  we  provide  a  full  proof  in  Appendix  B  (very  closely  following  the 
presentation  of  [BG02]). 

4.2  Oracle-aided  Zero-Knowledge  Protocols 

We  now  turn  to  constructing  oracle-aided  resettably-sound  zero-knowledge  protocols.  We  start  by 
defining  a  strong  notion  of  an  0-oracle- aided  version  of  ZK.  First  of  all,  we  restrict  to  protocols 
where  the  honest  prover  does  not  access  the  oracle.  Secondly,  we  require  that  simulation  can  be 
performed  given  oracle  access  to  any  valid  SIG7  oracle.  These  two  restrictions  will  be  important 
when  we  later  instantiate  the  oracle-aided  protocol  in  the  plain  model. 

Definition  16  (Oracle-aided  Zero-Knowledge).  A  pair  of  algorithms  (P,V)  is  (SIG7,  £)-oracle 
aided  zero-knowledge  for  a  NP  language  L  with  witness  relation  Rl  if  for  every  polynomial¬ 
time  adversarial  verifier  V* ,  there  exists  a  simulator  S,  such  that  for  every  valid  (SIG7,  t)-oracle  O' , 
the  following  ensembles  are  indistinguishable  over  x  £  L, 

{pp,  O  •<—  0'(  1N)  :  (pp,View v*(P(w),V*(z))(x,  Pp))}x&L,w€RL(x),z€{o,iy 

~  {pp,  O  <-  O'i  1N)  :  (pp,  S°(x,  Z,  PP))}  x£L,w£Rl  (rr),zG{0,l}* 

We  now  turn  to  the  question  of  constructing  a  protocol  that  satisfies  the  above  requirements. 
Note  that,  as  a  first  attempt,  we  could  try  constructing  a  constant-round  public-coin  ZK  protocol  by 
replacing  the  tree  hashing  in  Barak’s  protocol  [BarOl]  with  sig-com  trees,  and  then  apply  the  PRF 
transformation  of  [BGGL01]  to  achieve  resettable  soundness.  While  this  indeed  could  be  used  to  get 
a  resettably-sound  ZK  protocol  in  the  oracle-aided  model,  the  resulting  protocol  would  require  the 
honest  prover  to  make  polynomially  many  queries  to  the  oracle  (to  complete  the  WIUARG).  To  get 
around  this,  we  instead  rely  on  a  variant  of  Barak’s  protocol  used  in  Pass  and  Rosen  [PR05],  which 
provides  a  “special-purpose”  implementation  of  the  WIUARG  used  in  Barak’s  protocol  in  which  the 
honest  prover  does  not  need  to  perform  any  “hashing”.8 

8In  fact,  early  versions  of  Barak’s  protocol  also  relied  on  such  a  special-purpose  implementation  of  WIUARG. 
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More  precisely,  our  protocol  proceeds  as  follows.  In  Stage  1,  P  sends  a  commitment  c  = 
Com(02n),  and  then  V  sends  back  a  challenge  r  £  {0,  l}rt  as  in  Barak’s  protocol.  In  Stage  2,  P 
and  V  first  execute  an  “encrypted”  universal  argument  (.PuA)  Vua)  of  the  statement  that  “c  is  a 
commitment  to  a  sig-com  tree  root  of  a  program  M  and  M(c)  =  r,”  where  instead  of  sending  the 
message  in  the  clear,  the  prover  sends  commitments  to  the  messages.  The  honest  prover  simply 
sends  commitments  to  0  (and  thus  will  fail  in  this  encrypted  universal  argument).  Finally,  P  and  V 
execute  a  witness-indistinguishable  argument  of  knowledge  of  the  statement  that  “x  £  L  OR  V|ja 
accepts  in  the  encrypted  universal  argument. 


Common  Input:  An  instance  £  of  a  language  L  £  NP  with  witness  relation  R^. 

Auxiliary  input  to  P :  A  witness  w  such  that  (x,w)  £  Rl- 

Primitives  Used:  A  canonical  sig-com  scheme  SIG'  with  SIG  and  Com  as  the  underlying  signature 
and  commitment  schemes,  and  a  (SIG^  t)-complete  0SIG-aided  universal  argument  (Pja,  Uja) 
with  t(n)  =  2 n. 

Set  Up:  Run  (pp,  O)  <—  OSIG(l"),  add  pp  to  common  input  for  P  and  V.  Furthermore,  allow  P  oracle 
access  to  O. 

Stage  One  (Trapdoor): 

Pi:  Send  cq  =  Com(02n,ro)  to  V  with  uniform  r0 

Vf:  Send  r^-{0, 1}"  to  P 

Stage  Two  (Encrypted  Universal  Argument): 

P2:  Send  ci  =  Com(02n,ri)  for  uniformly  selected  t\ 

V3:  Send  r' ,  uniformly  chosen  random  tape  for  V|ja 

P3:  Send  C2  =  Com(0/c,T2)  for  uniformly  selected  r2,  where  k  is  the  length  of  Pua’s  second 
message. 

Stage  Three:  (Main  Proof) 

P  <£>  V:  A  WI-AOK  (FWi,  Vwi)  proving  the  OR  of  the  following  statements: 

1.  3  to  €  {0,  i}poly(lxD  s_t.  (x,w)  £  Rl. 

2.  3  (pi,p2,Ti,T2)  s.t.  ((c0,r,  Ci,c2,r/,pp),(pi,p2,ri,r2))  £  Rl2  (defined  in  Fig.  2). 

Figure  1:  0SIG-aided  ZK  Argument  of  Knowledge. 

A  formal  description  of  the  protocol  can  be  found  in  Fig.  1  and  Fig.  2.  Note  that,  in  this 
construction,  the  honest  prover  P  can  convince  the  verifier  by  proving  x  £  L  in  the  final  witness 
indistinguishable  argument  without  making  any  oracle  queries.  This  leads  to  the  following  theorem. 
The  proof  of  the  theorem  closely  follows  [BarOl,  PR05]  but  the  proof  of  the  “argument  of  knowledge” 
property  requires  special  care  to  deal  with  the  fact  that  a  cheating  prover  may  adaptively  choose 
the  statements  to  be  proved  in  the  encrypted  universal  argument  (after  having  interacted  with  its 
oracle).9  A  formal  proof  of  the  theorem  can  be  found  in  Appendix  C. 


9In  [BarOl,  PR.05]  these  issue  does  not  arise  since  different,  independently  chosen  hash-functions  are  used  in  Stage 
1  and  in  Stage  2. 


17 


Relation  1:  Let  S I a  sig-com  scheme,  with  underlying  signature  scheme  SIG  and  commitment  scheme 
Com.  Let  ECC  be  a  binary  error-correcting  code  with  constant  min-distance  and  efficient  encoding 
algorithm.  We  say  that  (co,  r,  pp)  €  L\  if  3 (to,  d,  l\,  C,  {pi}i^\2d})  such  that 

•  c0  =  Com((d,R),T0) 

•  (d,  l\)  are  the  depth  and  root  of  a  sig-com  tree  for  C  w.r.t.  pp 

•  Each  pi  is  a  valid  sig-com  path  for  leaf  i  of  this  sig-com  tree.  That  is, 
PATHsig  {pi,  Ci ,  i,  l\,  pp)  =  1  for  each  i. 

•  C  =  ECC(II)  for  some  circuit  II 

•  n(c0)  =  r. 

We  let  R/,1  be  the  witness  relation  corresponding  to  L\. 

Relation  2:  Let  L\  be  described  as  above,  with  respect  to  S I G/  and  ECC.  Let  (Pja7  Vua)  be  a  (SIG',  £)- 
complete  0SIG-aided  universal  argument  with  £(n)  =  2 n.  We  say  that  (co,  r,  C\,  C2,  r',  pp)  G  P2  if 
3  (pi ,  P2 ,  Ti ,  t-2  )  such  that 

•  ci  =  Com(pi,Ti),  c2  =  Com(p2,r2). 

•  (pi,r',p2)  constitutes  an  accepting  (Pua,  Lua)  transcript  for  (co,r)  G  L\. 

We  let  Rl2  be  the  witness  relation  corresponding  to  P2. 

Figure  2:  Relations  used  in  the  0SIG-aided  ZK  protocol  in  Fig.  1. 

Theorem  8.  Let  SIG7  be  a  canonical  sig-com  scheme  with  SIG  and  Com  being  its  underlying  signature 
scheme  and  commitment  scheme.  Then  there  exists  an  G?sig -oracle  aided  argument  of  knowledge 
(. P ,  V)  for  NP;  additionally, 

1.  (P,V)  is  constant-round  and  public- coin; 

2.  P  does  not  make  any  queries  to  its  oracle; 

3.  (P.V)  is  (SIG7,  l)- oracle- aided  zero-knowledge  for  £{n)  =  2 n. 

Finally,  we  apply  the  PRF  transformation  of  [BGGL01]  to  the  0SIG-oracle  aided  ZK  protocol 
(P,  V )  constructed  above  to  achieve  0SIG-oracle  aided  resettable  soundness  More  precisely,  we  mod¬ 
ify  the  public-coin  verifier  V  to  a  “PRF -verifier”  V  that  samples  a  seed  s  for  a  PRF  fs  at  beginning 
and  then  generates  each  verifier  message  by  applying  fs  to  the  current  transcript.  The  proof  in 
[BGGL01]  relativizes  and  as  a  consequence  we  have  the  following  theorem: 

Theorem  9.  Let  SIG7  be  a  canonical  sig-com  scheme  with  SIG  and  Com  being  its  underlying  signature 
scheme  and  commitment  scheme.  Then  there  exists  an  O^-aided  constant-round  resettably-sound 
argument  of  knowledge  ( P ,  V)  for  NP:  additionally, 

1.  P  does  not  make  any  queries  to  its  oracle; 

2.  (P.V)  is  (SIG ' ,T)- oracle- aided  zero-knowledge  for  £{n)  =  2 n. 
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5  Resettably-sound  Zero  Knowledge  in  the  Plain  Model 

Let  SIG/  be  a  canonical  sig-com  scheme  with  SIG  and  Com  being  its  underlying  signature  scheme 
and  commitment  scheme.  Let  (P,  V)  be  an  0SIG-aided  resettably  sound  argument  of  knowledge  for 
a  language  L  with  witness  relation  Rl,  where  P  does  not  make  any  queries  to  its  oracle.  Consider 
the  protocol  (. P ,  V )  that  on  common  input  x,  and  auxiliary  prover  input  w  proceeds  as  follows. 

1.  Init:  V  runs  (sk,  vk)  Gen(ln)  and  sends  vk  to  P. 

2.  Signing  Slot: 

•  P  generates  c  =  Com(02n;r),  where  r  is  uniformly  sampled,  and  sends  c  to  V. 

•  V  replies  with  a  =  Signsk(c). 

•  P  aborts  if  a  is  not  a  valid  signature  of  c. 

3.  Body:  Invoke  the  protocol  (P(w),  V)(x,  pp)  with  pp  =  vk. 

Lemma  10.  If  (P,V)  is  (SIGL  2n)- oracle- aided  zero-knowledge  for  L  with  witness  relation  Rl,  then 
(P,  V )  is  a  fixed-input  resettably-sound  zero-knowledge  argument  of  knowledge  for  L  with  witness 
relation  Rl. 

Note  that  here  we  only  obtain  a  fixed-input  resettably  sound  argument  of  knowledge  (defined  in 
Definition  3),  but  this  can  be  transformed  into  a  "full-fledged"  resettably  sound  one  by  using  the 
transformation  in  Claim  2,  which  thus  establishes  our  main  Theorem  1. 

Before  proving  Lemma  10  formally,  we  provide  a  high-level  sketch  first.  Completeness  of  ( P ,  V) 
follows  directly  from  the  completeness  of  (P,  V).  Resettable-soundness  and  the  argument  of  knowl¬ 
edge  property,  roughly  speaking,  follow  by  emulating  all  signature  slot  messages  using  the  oracle. 
The  zero-knowledge  simulator  proceeds  by  first  honestly  emulating  the  signature  slot  for  the  mali¬ 
cious  verifier  V* .  and  if  V*  provides  an  accepting  signature,  we  next  run  the  oracle-aided  simulator, 
and  appropriately  rewinding  the  malicious  verifier  during  the  signature  slot  to  appropriately  imple¬ 
ment  some  valid  sig-com  oracle.  The  verifier  may  not  always  answer,  but  we  can  “keep  rewinding” 
him,  sending  fresh  commitments  until  he  does.  Roughly  speaking,  the  key  point  is  that  if  V*  did 
provide  a  valid  signature  during  the  first  pass,  then  in  expectation,  by  the  hiding  property  of  the 
commitment  scheme,  we  only  need  a  polynomial  number  of  rewindings.  This  “almost”  works:  just 
as  in  [GK96],  we  need  to  take  special  care  to  deal  with  verifier’s  that  only  provide  valid  signatures 
with  very  small  probability.  We  proceed  with  a  formal  proof. 

Proof.  Completeness  of  (P,  V )  follows  directly  from  the  completeness  of  (P,  V)  since  by  assumption, 
P  never  makes  any  oracle  queries. 

To  prove  the  fixed-input  resettable-soundness  of  (P,V),  we  show  how  to  convert  a  malicious 
prover  P*  for  (P,  V)  into  an  oracle-aided  malicious  prover  P*  for  (P,  V)  that  succeeds  with  the 
same  probability.  P*°(ln.  pp)  internally  emulates  an  execution  of  P*  as  follows: 

•  Upon  invocation  P*  feeds  P*  the  message  pp  (corresponding  to  the  “Init  message”  of  the 
protocol. 

•  Whenever  P*  makes  a  signing  slot  query,  that  is,  whenever  it  requests  a  signature  on  some 
message  c  from  V,  P*  forwards  c  to  its  oracle  O,  and  relays  the  answer  back  to  P*  as  V’s 
reply. 
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•  All  other  messages  are  forwarded  externally  to  the  verifier,  and  the  verifier’s  replies  are  relayed 
back. 

It  follows  by  inspection  that  P*  succeeds  in  convincing  V  (during  a  reset  attack)  with  identically 
the  same  probability  as  P*  convinces  V .  since  the  view  of  P*  in  the  emulation  by  P*  is  identical  to 
its  view  in  the  execution  with  V . 

By  the  same  argument  we  have  that  (P,  V )  is  an  argument  of  knowledge:  Let  E  be  the  extractor 
for  (P,  V ),  and  define  the  extractor  E  for  (P,  V )  that  given  oracle  access  to  P*,  proceeds  as  follows: 
E  runs  pp,  O  <—  O,  and  then  E  emulates  the  execution  of  E  given  oracle  access  to  P*  described 
above,  while  1)  internally  emulating  all  oracle  queries  by  P*  (using  O )  and  2)  externally  querying 
(and  relaying  back  the  answer)  P*  on  all  queries  made  by  E  to  P*.  Since  P*  succeeds  in  convincing 
V  with  identically  the  same  probability  as  P*  convinces  V.  it  follows  by  the  argument  of  knowledge 
property  of  (P,  V)  that  (P,  V)  also  is  an  argument  of  knowledge. 

Let  us  turn  to  zero-knowledge.  Consider  some  malicious  (w.l.o.g.  deterministic)  verifier  V*  for 
(P,  V)  of  size  Tyt .  We  construct  a  simulator  S  for  V*.  Roughly  speaking,  S  starts  by  simulating 
(P,  V*)  honestly  up  to  the  end  of  the  Signing  Slot,  and  if  P  does  not  abort,  S  continue  to  simulate 
the  view  of  V*  in  the  Body  part  by  1)  viewing  the  “residual”  V*  as  a  malicious  V*  for  (P,  V),  2) 
preparing  a  valid  (SI G7 ,  2 n)  oracle  O'  (by  rewinding  V*  at  the  Signing  Slot  in  the  spirit  of  Goldreich- 
Kahan  [GK96]),  and  3)  invoking  the  simulator  S  for  V*  with  oracle  O'. 

More  precisely,  S  first  receives  vk  from  V*.  generates  and  sends  to  V*  an  honest  commitment 
c  =  Com(02”;  r)  with  uniform  r,  and  then  receives  back  a  signature  a  from  V*.  If  a  is  not  a  valid 
signature  of  c,  then  the  simulation  halts  immediately  and  outputs  the  transcript  upto  that  point. 
Otherwise,  let  V*  be  the  residual  V*  at  the  end  of  the  Signing  Slot  (which  is  a  malicious  verifier  for 
(P,  V)).  and  construct  an  oracle  O'  as  follows. 

•  S  repetitively  queries  V*  at  the  Signing  Slot  with  fresh  commitments  Com(02r!;r)  until  it 
collects  2 n  valid  signatures.  Let  t  be  the  number  of  queries  S  makes. 

•  Define  O'  that  outputs  pp  =  vk,  and  an  oracle  O  that  on  input  a  message  m  G  {0,  l}2n, 
proceeds  as  follows:  O  repetitively  queries  V*  at  the  Signing  Slot  with  fresh  commitments 
Com(m;r)  for  at  most  t  times.  If  V*  ever  replies  a  valid  signature  a  for  Com  (m,  r),  then  O 
outputs  (<r,  r).  Otherwise,  O  returns  _L. 

If  t  >  2n/2 .  then  S  aborts.  Otherwise,  S  invokes  the  simulator  S  for  V*  with  oracle  O',  while 
emulating  the  oracle  for  S  during  its  execution,  and  outputs  the  view  of  V*  (which  is  also  a  view 
of  V*)  generated  by  S  at  the  end. 

To  analyze  S,  we  introduce  some  notation.  Let  p(m)  be  the  probability  that  V*  on  query  a 
random  commitment  c  =  Com (m,  r)  of  m  G  {0,  l}2ra  at  the  Signing  Slot,  returns  a  valid  signature 
of  c.  Let  p  =  p( 02n). 

We  first  show  that  S  runs  in  expected  polynomial  time.  To  start,  note  that  S  aborts  at  the 
end  of  the  Signature  Slot  with  probability  1  —  p,  and  in  this  case,  S  runs  in  polynomial  time.  With 
probability  p,  S  continues  to  invoke  a  strictly  polynomial-time  simulator  S  for  the  residual  V*. 
which  has  size  bounded  by  Tp*.  Thus,  S  runs  in  some  T  =  poly(Tp*)  time  and  makes  at  most 
T  queries  to  its  oracle  O,  which  in  turn  runs  in  time  t  ■  poly(ra)  to  answer  each  query.  Also  note 
that  S  runs  in  time  at  most  2n,  since  S  aborts  when  t  >  2n/2.  Now,  we  claim  that  t  <  10 n/p  with 
probability  at  least  1  —  2~n,  and  thus  the  expected  running  time  of  S  is  at  most 

(1  —  p)  ■  poly(n)  +p  ■  T  ■  (10  n/p)  ■  poly(n)  +  2~n  ■  2n  <  poly  (Pp*,  n). 
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To  see  that  t  <  10 n/p  with  overwhelming  probability,  let  X\ . . . . ,  XWn/p  be  i.i.d.  indicator  variables 
on  the  event  that  V*  returns  a  valid  signature  for  a  random  Com(02n;r),  and  note  that  t  <  10 n/p 
implies  Xi  <  2 n,  which  by  a  standard  Chernoff  bound,  can  only  happen  with  probability  at 
most  2~n. 

Finally,  we  argue  indistinguishability.  First,  the  computational  hiding  property  of  Com  implies 
that  there  exists  some  negligible  u(  )  such  that  | p(m)  —  p\  <  v(n)  for  every  m  G  {0,  l}2n.  Now  we 
consider  two  cases.  If  p  <  2v,  then  the  indistinguishability  trivially  holds  since  the  interaction  aborts 
at  the  end  of  the  Signature  Slot  (in  this  case,  the  view  is  perfectly  simulated)  with  all  but  negligible 
probability.  On  the  other  hand,  if  p  >  2u,  we  show  that  O'  generated  by  S'  is  a  valid  (SIG^n) 
oracle  for  S I G7  with  overwhelming  probability,  and  thus  the  indistinguishability  of  S  follows  by  the 
indistinguishability  of  S. 

To  see  that  O'  is  a  valid  (SI G7 , 2 n)  oracle  for  SIG7  with  overwhelming  probability,  note  again  by 
a  Chernoff  bound  that  n/p  <  t  <  2n^2  with  probability  at  least  1  —  2~^n\  In  this  case,  for  every 
m  G  {0,  l}2",  p{m)  >  p  —  v  >  p/2  implies  that  t  >  n/2p(m),  and  thus  0{m)  learns  a  valid  signature 
of  Com  (m;r)  from  V*  with  probability  at  least  1  —  2~^n\  □ 

6  Applications 

By  plugging  our  resettably-sound  zero-knowledge  argument  of  knowledge  into  the  constructions  of 
[CGGM00,  PRS02,  BGGL01],  with  some  minor  modifications  that  we  discuss  shortly,  we  immedi¬ 
ately  obtain  the  following  theorem.  (Roughly  speaking,  in  a  resett  ably- wit  ness  indistinguishable 
(resp.,  zero-knowledge)  argument,  the  witness-indistinguishability  (resp.,  zero-knowledge)  property 
is  required  to  hold  also  in  the  presence  of  a  resetting  verifier;  see  [CGGM00,  BGGL01]  for  formal 
definitions.) 

Theorem  11.  Assume  the  existence  of  one-way  functions.  Then 

•  there  exists  a  constant-round  resettably-witness-indistinguishable  argument  of  knowledge  for 
all  of  NP, 

•  there  exists  a  O(\ogn)-round  resettable-zero-knowledge  argument  of  knowledge  for  all  of  NP. 

The  construction  of  a  constant-round  resettably-witness-indistinguishable  argument  of  knowl¬ 
edge  follows  directly  from  the  results  of  [BGGL01].  For  the  construction  of  a  resett ably-zero- 
knowledge  argument  of  knowledge,  recall  that  [BGGL01]  (following  [CGGM00])  construct  resettably- 
zero-knowledge  arguments  of  knowledge  by  compiling  (using  a  resettably-sound  zero-knowledge 
argument  of  knowledge)  some  underlying  concurrent  zero-knowledge  protocols  of  the  “committed- 
verifier  type”  where  the  verifier  commits  to  its  “challenges”  at  the  beginning  of  the  protocol,  and  then 
reveals  them  one  by  one  in  sequential  “slots”.  The  underlying  concurrent  zero-knowledge  protocol, 
however,  relies  on  commitment  in  use  being  statistically-hiding.  We  note  that  by  a  minor  tweak  of 
the  concurrent  zero-knowledge  protocol  of  [PRS02],  we  can  use  also  computationally-hiding  com¬ 
mitments  (that  exists  based  on  one-way  functions).  More  precisely,  we  can  replace  the  statistically- 
hiding  commitment  that  the  verifier  uses  with  computationally-hiding  commitments  if  the  verifier 
in  the  final  stage  of  the  protocol,  instead  of  opening  up  all  commitments,  simply  reveals  the  com¬ 
mitted  values  and  provides  a  resettably-sound  zero-knowledge  argument  of  knowledge  of  the  value. 
In  fact,  the  same  trick  of  replacing  statistically-hiding  commitments  with  computationally-hiding 
commitmetns,  but  using  just  a  “plain”,  as  opposed  to  resettably-sound,  zero-knowledge  argument  of 
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knowledge  in  the  final  stage  in  the  protocol,  was  used  in  [PRS02]  to  get  a  concurrent  zero-knowledge 
argument  from  one-way  functions,  and  soundness  follows  in  exactly  the  same  way  as  in  [PRS02] 
(but  to  preserve  resettable-zero-knowledge,  we  here  need  to  use  a  resettably-sound  zero-knowledge 
argument  of  knowledge) . 

We  proceed  to  discuss  how  to  remove  the  need  for  CRHs  in  the  simultaneously  resettable  zero- 
knowledge  argument  protocol  of  Deng,  Goyal  and  Sahai  [DGS09]  (referred  to  as  DGS  hereafter). 

Theorem  12.  Assume  the  existence  of  one-way  permutations  and  trapdoor  permutations.  Then 
there  exists  a  simultaneously-resettable  zero-knowledge  argument  for  NP. 

We  start  by  reviewing  the  construction  of  DGS,  which  proceeds  in  two  step.  First,  DGS  con¬ 
structs  a  “main  protocol”  that  satisfies  a  weak  notion  of  resettable  soundness  (so  called  “hybrid 
soundness”)  and  a  weak  notion  of  resettable  zero-knowledge  (so  called  “relaxed  concurrent  zero- 
knowledge).  Then  general  transformations  are  applied  to  compile  the  main  protocol  to  a  simulta¬ 
neously  resettable  one.  The  second  step  relies  only  on  the  existence  of  a  simultaneously  resettable- 
witness  indistinguishable  argument,  whereas  the  first  step  additionally  requires  the  existence  of 
CRHs  and  one-way  permutations.  Therefore,  to  achieve  our  goal,  it  suffices  to  remove  the  use  of 
CRHs  (by  replacing  it  with  signature  trees)  in  the  construction  of  their  main  protocol. 

In  more  detail,  the  main  protocol  of  DGS  consists  of  the  following  high-level  structure. 

1.  The  protocol  start  by  the  prover  P  committing  to  2 n2  “challenges”  ch\, . . . ,  c/i2n2- 

2.  Then  the  verifier  V  sends  P  a  “trapdoor”  trap  =  Com(l;  r). 

3.  Then  (P,V)  proceed  with  2 n2  “rewinding  slots”  as  follows.  For  each  i  G  [2n2], 

•  P  sends  c/q  to  V. 

•  (P,V)  engage  in  a  (variant  of)  resettably-sound  zero-knowledge  argument10  where  P 
proves  to  V  that  either  chi  is  the  correct  challenge  committed  in  the  first  prover  message, 
or  x  G  L. 

•  V  replies  an  answer  ansi  to  chi  if  the  rs-ZK  argument  is  accepting. 

4.  Finally,  P  proves  to  V  using  a  simultaneously  resettable  WI  that  either  x  G  L  or  trap  = 
Com(l;r)  for  some  r. 

The  2 n2  slots  are  used  by  the  simulator  S  to  extract  a  “fake  witness”  r  to  complete  the  final 
WI  (i.e. ,  to  “solve”  the  session),  where  S  rewinds  the  slots  to  collect  two  challenge-answer  pairs 
( chi,ansi ),  (ch'^ans'f)  to  extract  r.  For  “honest”  challenge  cht  (i.e.,  the  one  committed  in  the  first 
prover  message),  S  simply  completes  the  rs-ZK  honestly,  whereas  for  “fake”  challenge  c/t(,  S  relies 
on  the  rs-ZK  simulator  to  convince  the  verifier  to  provide  the  answer.  Roughly  speaking,  DGS  uses 
a  variant  of  RK-style  [RK99]  simulation  strategy,  where  for  each  session,  the  simulator  selects  2 n 
slots  of  the  same  “level”  (such  slots  always  exist  unless  the  session  already  aborts)  and  rewinds  each 
of  the  slots  once,  and  demonstrates  that  the  simulation  never  “gets  stuck,”  except  with  negligible 

10The  variant  here  allows  the  committed  program  II  in  Barak’s  protocol  to  access  to  a  “decommitment  oracle,” 
which  is  used  by  the  non-black-box  rs-ZK  simulator  to  take  “short-cuts”  for  resolved  sessions  in  generating  the  proof 
in  the  universal  argument  (so  that  the  complexity  of  UAs  does  not  blow  up).  For  the  variant  rs-ZK  protocol  to  be 
sound,  the  commitment  scheme  in  use  needs  to  have  unique  opening;  such  commitment  schemes  can  be  constructed 
based  on  one-way  permutation. 
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probability.  At  a  high  level,  the  crux  is  to  show  that  for  the  simulator  to  get  stuck,  there  must  be 
at  least  n  out  of  the  2 n  slots  where  a  certain  “FAILURE”  pattern  occurs,  and  for  each  slot,  such 
FAILURE  pattern  occurs  with  probability  at  most  1/2;  thus,  the  chance  of  getting  stuck  on  each 
session  is  at  most  2-n. 

In  the  above  protocol,  CRHs  are  used  in  the  rs-ZIv  arguments  (as  in  Barak’s  protocol)  in  each 
slot.  We  remove  the  use  of  CRHs  by  instantiating  the  rs-ZK  arguments  with  sig-com  trees,  in  exactly 
the  same  way  as  Barak’s  protocol.  However,  recall  that  our  rs-ZK  simulator  needs  to  rewind  the 
verifier  polynomially  many  times  to  construct  the  sig-com  tree  (say,  g(n)  =  poly(|V*|)  signatures 
are  needed,  where  |V*|  is  the  size  of  the  verifier11),  rewinding  each  slot  just  once  does  not  suffice  to 
solve  a  session.  A  more  subtle  issue  is  that  the  slots  for  the  “local”  rs-ZK  simulator  and  the  “global” 
DGS  simulator  are  different  —  the  rs-ZK  slot  is  the  signature  slot  inside  a  rs-ZK  argument,  whereas 
the  DGS  slot  is  the  challenge-answer  slot  that  contains  the  whole  rs-ZK  argument. 

We  deal  with  both  issues  in  a  straightforward  way.  For  the  second  issue,  we  let  all  rs-ZK  argu¬ 
ments  share  the  same  “global”  signature  verification  key  vk  chosen  by  the  verifier  at  the  beginning  of 
a  session,  and  identify  the  rs-ZK  slot  with  the  DGS  slot.  Namely,  our  rs-ZK  simulator  also  rewinds 
the  whole  DGS  slot  (with  a  random  challenge  and  properly  chosen  commitment  to  be  signed)  to 
obtain  a  signature.12  This  allows  us  to  unify  the  two  versions  of  slots  and  thus,  to  solve  a  session,  it 
suffices  to  successfully  rewinds  a  DGS  slot  g(n)  +  1  times  (g(n)  times  for  constructing  the  sig-com 
tree,  and  one  more  time  to  obtain  the  fake  challenge-answer  pair).  To  achieve  this,  we  use  exactly 
the  same  rewinding  strategy  as  in  DGS  but  instead  rewind  each  slot  (that  was  being  rewound  once 
in  DGS)  3 g(n)  times.  To  see  why  this  works,  we  first  review  the  analysis  in  the  original  DGS  setting 
and  generalize  it  to  our  context. 

We  start  by  describing  the  FAILURE  pattern  mentioned  above.  Recall  that  in  the  RK-style 
simulation  strategy,  whether  a  rewinding  succeeds  or  not  depends  on  the  “length”  of  the  slot  (i.e. , 
the  number  of  messages  before  the  slot  gets  closed),  as  the  rewinding  gets  cut  off  if  the  length  of  a 
slot  exceeds  a  certain  threshold  (depending  on  the  level  of  the  slot).  The  FAILURE  pattern  defined 
in  DGS  refers  to  the  case  where  in  the  main  thread,  the  slot  is  “short”  but  in  the  rewinding,  the  slot 
gets  too  “long.”  By  the  choice  of  parameters  of  DGS,  the  simulator  can  get  stuck  on  a  session  only 
when  at  least  n  FAILURE  patterns  occur  (out  of  the  2 n  slots).  Now,  since  the  main  thread  and 
the  rewinding  thread  are  computationally  indistinguishable,  the  probability  of  getting  a  short/long 
slot  in  both  threads  are  negligibly  close.  As  a  consequence,  the  FAILURE  pattern  occurs  with 
probability  at  most  1/4  +  ngl(n)  <1/2,  and  the  simulator  only  gets  stuck  with  probability  at  most 
2~n. 

In  our  context,  we  can  generalize  the  definition  of  FAILURE  pattern  for  a  slot  to  be  that  the 
slot  is  short  in  the  main  thread  but  is  short  in  only  <  g(n)  +  1  rewinding  threads  (out  of  the  3 g(n) 
ones).  By  an  identical  argument  to  DGS,  our  simulator  only  get  stuck  on  a  session  when  at  least  n 
FAILURE  patterns  occur  (out  of  the  2 n  slots).  Now,  it  is  easy  to  argue  that  the  FAILURE  pattern 
occurs  with  probability  at  most  1/2:  Let  p  be  the  probability  of  a  slot  being  short  in  the  main 
thread  (which  implies  the  slot  begin  short  in  the  rewinding  thread  with  probability  p  ±  ngl(n)).  By 
definition,  the  FAILURE  pattern  occurs  with  probability  at  most  p.  Thus,  if  p  <  1/2,  then  we 

11The  size  of  the  tree  is  proportional  to  the  complexity  of  the  universal  argument,  which  as  demonstrated  by  DGS, 
is  upper  bounded  by  poly(|F*|). 

12Note  that  in  the  rewinding  for  the  signatures,  the  simulator  would  get  stuck  in  completing  the  UA  inside  the 
rs-ZK  argument,  but  for  the  purpose  of  obtaining  the  signature,  it  suffices  to  simulate  up  to  the  end  of  the  signature 
slot.  On  the  other  hand,  choosing  random  challenge  is  crucial  to  make  the  main  thread  and  the  rewinding  thread 
independent  and  computationally  indistinguishable. 
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are  done.  On  the  other  hand,  if  p  >  1/2,  then  by  a  Chernoff  bound,  the  slot  will  also  be  short  in 
>  g(n)  + 1  out  of  3 g(n)  rewinding  threads  with  overwhelming  probability,  and  clearly,  the  FAILURE 
pattern  occurs  with  probability  <1/2. 

To  summarize,  by  instantiating  the  rs-ZK  arguments  with  sig-com  trees  we  remove  the  use  of 
CRHs  in  the  main  protocol  of  [DGS09].  By  further  plugging  in  the  general  transformations  in 
the  second  step  of  [DGS09],  we  obtain  simultaneously  resettable  zero-knowledge  arguments  for  NP 
based  on  the  existence  of  one-way  permutations  and  trapdoor  permutations. 
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A  Additional  Preliminaries 

A.l  Computational  Indistinguishability 

The  following  definition  of  computational  indistinguishability  originates  in  the  seminal  paper  of 
Goldwasser  and  Micali  [GM84],  Let  A  be  a  countable  set  of  strings.  A  probability  ensemble 
indexed  by  A  is  a  sequence  of  random  variables  indexed  by  X.  Namely,  any  element  of  A  = 
{Ax}xeX  is  a  random  variable  indexed  by  X. 

Definition  17  (Indistinguishability).  Let  X  andY  be  countable  sets.  Two  ensembles  {Ax^y}x&x,yeY 
and  {BXty}X£x,yeY  ar e  said  to  be  computationally  indistinguishable  over  X,  if  for  every  prob¬ 
abilistic  machine  D  (the  distinguisher)  whose  running  time  is  polynomial  in  its  first  input,  there 
exists  a  negligible  function  v{-)  so  that  for  every  x  £  X,y  £  Y : 

|Pr  [D(x,y,AXjy)  =  1]  -  Pr  [D(x,  y,  BX}V)  =  1]|  <  u(\x\) 

(In  the  above  expression,  D  is  simply  given  a  sample  from  Ax^y  and  Bx^y,  respectively.) 

A. 2  Interactive  Arguments 

Definition  18  (Interactive  Arguments).  A  pair  of  interactive  algorithms  (P,V)  is  an  interactive 
argument  for  a  NP  language  L  with  witness  relation  Rl  if  it  satisfies  the  following  properties: 

•  Completeness:  There  exists  a  negligible  function  y(-),  such  that  for  all  x  G  L,  if  w  €  Rl(x), 

Pi[(P(w),  V)(x)  =  1]  =  1  -  y{\x\) 

•  Soundness:  For  all  non-uniform  polynomial-time  adversarial  prover  P* ,  there  exists  a  negli¬ 
gible  function  y(-)  such  that  for  every  all  x  ^  L, 

Pr[(P,V)(x)  =  1}  <  y(\x\) 

If  the  following  condition  holds,  ( P ,  V )  is  an  argument  of  knowledge: 

•  Argument  of  knowledge:  There  exists  an  expected  PPT  algorithm  E  such  that  for  every  polynomial- 
size  P* ,  there  exists  a  negligble  function  //(•)  such  that  for  every  x, 

Pr [w  ^  Ep^x\x)-w  €  Rl(x)]  >  Pr [{P* ,V)(x)  =  1]  -  p(\x\) 
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A. 3  Witness  Indistinguishability 

An  interactive  protocol  is  witness  indistinguishable  (WI)  [FS90]  if  the  verifier’s  view  is  “inde¬ 
pendent”  of  the  witness  used  by  the  prover  for  proving  the  statement.  In  this  context,  we  focus  on 
languages  L  £  NP  with  a  corresponding  witness  relation  R^.  Namely,  we  consider  interactions  in 
which  on  common  input  x  the  prover  is  given  a  witness  in  R/,(x).  For  any  adversarial  verifier  V*. 
let  Viewv*  ( P(w),V(z ))  (x)  be  the  random  variable  that  denotes  V*’s  view  in  an  interaction  with 
P,  when  V*  is  given  auxiliary  input  z,  P  is  given  witness  w,  and  both  parties  are  given  common 
input  x. 

Definition  19  (Witness- indistinguishability).  An  interactive  protocol  ( P ,  V)  for  L  6  NP  is  witness 
indistinguishable  for  R^  if  for  every  PPT  adversarial  verifier  V* ,  and  for  every  two  sequences 
{w].}x<zl  and  {wx}X£l,  such  that  w\ ,  wfr  £  Rl{x )  for  every  x  6  L,  the  following  ensembles  are 
computationally  indistinguishable  over  x  £  L: 

{Viewy*  (P(wl),V*(z))  (x)}^^^!}. 

~  {Viewy*  (P{wl),  V*(z))  (x)}xeLtZem}* 

(The  definition  of  resettable- wit  ness  indistinguishability  follows  that  of  resettable  zero  knowledge 
analogously:  witness  indistinguishability  under  a  resetting  attack  as  described  in  Definition  2.) 

A. 4  Commitment  Schemes 

Commitment  protocols  allow  a  sender  to  commit  itself  to  a  value  while  keeping  it  secret  from  the 
receiver ;  this  property  is  called  hiding.  At  a  later  time,  the  commitment  can  only  be  opened  to 
a  single  value  as  determined  during  the  commitment  protocol;  this  property  is  called  binding. 
Commitment  schemes  come  in  two  different  flavors,  statistically  binding  and  statistically  hiding;  we 
only  make  use  of  statistically  binding  commitments  in  this  paper.  Below  we  sketch  the  properties 
of  a  statistically  binding  commitment;  full  definitions  can  be  found  in  [GolOl] . 

In  statistically  binding  commitments,  the  binding  property  holds  against  unbounded  adversaries, 
while  the  hiding  property  only  holds  against  computationally  bounded  (non-uniform)  adversaries. 
The  statistical-binding  property  asserts  that,  with  overwhelming  probability  over  the  randomness 
of  the  receiver,  the  transcript  of  the  interaction  fully  determines  the  value  committed  to  by  the 
sender.  The  computational-hiding  property  guarantees  that  the  commitments  to  any  two  different 
values  are  computationally  indistinguishable. 

Non-interactive  statistically-binding  commitment  schemes  can  be  constructed  using  any  one-to- 
one  one-way  function  (see  Section  4.4.1  of  [GolOl]).  Allowing  some  minimal  interaction  (in  which 
the  receiver  first  sends  a  single  random  initialization  message),  statistically-binding  commitment 
schemes  can  be  obtained  from  any  one-way  function  [Nao91,  HILL99]. 

B  Construction  of  an  Oracle-Aided  UA 

In  this  section,  we  prove  Theorem  7,  which  is  restated  below. 

Theorem  13  (Theorem  7  restated).  Let  SIG/  be  a  canonical  sig-com  scheme  with  SIG  and  Com  being 
its  underlying  signature  scheme  and  commitment  scheme.  Then  there  exists  a  (SIG ' ,T)- complete 
0^G-aided  universal  argument  with  £(n)  =  2 n. 
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Proof.  We  construct  such  a  universal  argument  in  Fig.  3,  which  is  essentially  identical  to  the  con¬ 
struction  of  [BG02],  except  that  the  Merkle  hash  tree  is  replaced  by  a  sig-com  tree.  Note  that 
both  the  efficient  verification  property  and  the  completeness  property  (with  a  relatively  efficient 
prover)  follow  by  inspection.  Furthermore,  note  that  the  (SIG;,  ^-completeness  holds  as  well,  since 
the  prover  P  only  need  to  access  an  arbitrary  valid  (SIG7,^)  oracle  to  produce  the  sig-com  tree. 


Common  Input:  An  instance  y  =  ( M,x,t )  of  Ljj;  let  n  :=  \y\. 

Auxiliary  input  to  prover:  w  such  that  ( y,w )  G  holds. 

Primitives  used: 

•  A  PCP  scheme  for  Ljj  with  auxiliary  properties  as  defined  in  [BG02],  where 

—  Ppcp(y,w)  generates  a  PCP  proof  tt  for  ( y,w )  G  R^. 

—  Vpcp  is  the  non-adaptive  verifier  for  the  PCP  system,  which  makes  m  queries  to  the 
PCP  proof. 

—  Qpcp  (j/j  A  i)  generates  the  i-tli  query  of  Vpcp  with  random  tape  r,  common  input  y. 

•  A  canonical  sig-com  scheme  S I with  SIG  and  Com  as  the  underlying  signature  and  com¬ 
mitment  schemes;  let  OSIG  be  the  corresponding  signature  oracle. 

Set  Up:  Run  (pp,  O)  <—  0SIG(ln),  add  pp  to  common  input  for  P  and  V.  Further,  allow  P  oracle 
access  to  O. 

Protocol: 

Pi  :  Generate  n  <—  Ppcp(y ,  (w,  1*  )),  where  t'  is  the  runtime  of  M  on  input  (, x,w ).  Use  O  to 
generate  a  sig-com  tree  for  7r  w.r.t.  pp,  recording  sig-com  paths  for  each  leaf.  Send  (d.  l\), 
the  depth  and  the  root  of  the  sig-com  tree,  to  V. 

Vi  :  Uniformly  select  randomness  r  for  Vpcp,  and  send  it  to  P. 

P-2  :  Generate  queries  by  using  Qpcp(y,  A  i)  to  generate  the  i-tli  query  for  every  i  G  [m]. 

Generate  sig-com  paths  {/5l},gm  for  the  bits  {bi  =  irqi  }ie[m]  of  7 r  in  the  sig-com  tree.  Send 
the  sig-com  paths  to  V. 

V  accepts  when: 

•  PATHsig  (pi,  bi,  qt,  l\,  pp)  =  1  for  every  i  G  [m\. 

•  Upcp  accepts  when  receiving  }ie rm]  as  the  responses  to  its  oracle  queries. 

Figure  3:  An  0SIG-aided  Universal  Argument. 

It  remains  to  prove  the  weak  proof  of  knowledge  property  (for  adaptively  chosen  statements). 
Our  proof  is  almost  identical  to  that  given  by  Barak  and  Goldreich  in  Section  3  of  [BG02],  In  fact, 
if  we  simply  replace  hash  trees  with  sig-com  trees  and  following  their  argument  exactly,  we  have  the 
following  lemma: 

Lemma  14  (implicit  in  Lemma  3.5  of  [BG02]).  Let  (P,V)  be  the  0^G-aid,ed  protocol  defined  in 
Fig.  3.  For  every  polynomial  p,  there  exist  oracle  PPT  algorithms  E  and  CF  and  a  polynomial  q 
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such  that  for  every  n  £  N  and  every  non-uniform  PPT  adversary  P* ,  if 

Pr[pp,  O  <-  0(1”);  R  <-  {0, 1}°°;  y  <-  P*R°( pp)  : 

(PR°(PP)iV(y,  PP))  =  1]  >  1  /p(n), 

then  with  probability  at  least  l/q(n)  over  (pp ,0,R)  <—  0( ln)  x  {0, 1}°°,  it  holds  that  either 
Pr[r  {0, 1}°°;  y  PR°( pp)  :  3 w  =  wi, . . .  wt  €  R^(y) 

p*0/nn^  1 

s.t.  Vi  <E  [t],ErR  (pp ,y,i)  =  wf\  > 
or 

Pr[(po,Pi,7,/A)  <-  CFp«°(pp)(pp);V6  G  {0,1} 

PATHsig'(/96,6,7,Za,pp)  =  1]  >  1  /q{n) 

Given  the  above  lemma,  we  observe  that,  for  any  P*° ,  except  for  finitely  many  n  G  N,  the 
latter  condition  can  only  hold  with  probability  at  most  1/2 q(n)  over  (pp,  O,  R )  •(—  0(ln)  x  {0,1}°°. 

P*0 

Otherwise,  we  will  be  able  to  use  CF  R  as  an  oracle  aided  adversary  that  succeeds  in  breaking  the 
sig-com  tree  collision  resistance  of  SIG7  for  infinitely  many  n  €  N  with  probability  >  1/2 (q(n))2  over 
0(ln),R,  and  the  randomness  of  CF. 

Thus,  assuming  that  SIG7  is  a  secure  sig-com  scheme,  the  former  condition  of  the  lemma  must 
hold  with  probability  >  1/2 q(n)  over  (pp,  O,  R)  •(—  0( ln)  X  {0, 1}°°  for  all  but  finitely  many  n  G  N. 

Pr[pp,  O  <—  0(ln);R,r<-  {0,  l}°°;y  <-  PR°( pp)  :  3 w  =  w\, . .  .wt  G  R u(y)  s.t. 

p*o  \ 

\/ie[t\,ErR  (pp,  y,  i)  =  wt]  >  2 

2  (q{n)y 

Setting  p'(n)  =  2(q(n))2,  we  have  that  E  is  a  sufficient  extractor  for  the  weak  proof  of  knowledge 
property.  □ 

C  Proof  of  Theorem  8 

Here  we  proof  Theorem  8,  which  is  restated  below. 

Theorem  15  (Theorem  8  restated).  Let  S I Gr  be  a  canonical  sig-com  scheme  with  SIG  and  Com 
being  its  underlying  signature  scheme  and  commitment  scheme.  Then  there  exists  an  C?SIG -oracle 
aided  argument  of  knowledge  ( P ,  V )  for  NP;  additionally, 

1.  (P.V)  is  constant-round  and  public-coin; 

2.  P  does  not  make  any  queries  to  its  oracle; 

3.  (P.V)  is  (SIG '  ,i)- oracle- aided  zero-knowledge  for  t(n)  =  2  n. 

Proof.  We  show  that  the  construction  provided  in  Fig.  1  and  2  satisfies  the  desired  properties. 
By  inspection,  (P,  V )  is  constant-round  and  public-coin,  and  P  does  not  make  any  queries  to  its 
oracle.  For  the  (SIG/ ^)-oracle-aided  zero-knowledge  property,  we  construct  a  simulator  identically 
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to  [PR05].  In  brief,  the  straight-line  simulator  S  that  will  provide  a  proof  to  V*  using  the  second 
witness  for  Stage  Three,  and  will  use  the  oracle  O  to  produce  a  sig-com  tree  for  ECC(II)  in  Stage 
One  with  II  =  V*  ,  and  also  to  complete  the  encrypted  UA  in  Stage  Two.  We  further  observe  that 
the  ZK  simulator  will  work  even  with  any  valid  (SIG;, £)-oracle,  since  such  an  oracle  is  sufficient  to 
produce  a  correct  sig-com  tree  in  Stage  One,  and  to  complete  the  (SI G7 ,  £)-oracle  complete  UA  in 
Stage  Two. 

It  remains  to  show  the  argument  of  knowledge  property.  We  start  by  constructing  a  knowledge 
extractor  P  for  (P,V).  E(x,  pp)  proceeds  as  follows:  Given  oracle  access  to  a  malicious  prover 
P*°(x,  pp),  E  internally  emulates  the  role  of  the  honest  verifier  V  for  P*°(x,  pp)  up  to  the  be¬ 
ginning  of  Stage  Three  (i.e.,  the  beginning  of  WI-AOK).  Let  a  denote  the  partial  transcript,  and 
P*°(x,  pp;  a)  be  the  “residual”  prover.  Then  E  applies  the  witness  extractor  Pw \  for  (Pwi,  Vwi )  on 
P*°(x,  pp;  a),  and  outputs  Pwi’s  output.  Note  that  since  O  £-  0SIG  is  efficient,  P*°(x ,  pp:  a )  is  a 
polynomial  size  adversary  in  the  plain  model. 

Clearly  by  inspection,  E  runs  in  expected  polynomial  time.  Let  e  be  the  success  probability 
of  P*  in  convincing  V.  We  first  show  that  Pwi  outputs  a  valid  witness  (either  a  true  witness 
w  £  Ri(x)  or  a  false  witness  {pi,P2,  U,  72)  £  Rl2(co,  r,  c±,  C2,  r',  pp))  with  probability  e  —  ngl(|x|). 

Let  e(pp,  0,a)  =  Pr[(P*°,  Vwi)(x,  pp;  a)  =  1],  i.e.,  the  probability  that  the  residual  prover 
P*0(x,pp;a)  convinces  Vwi  in  Stage  Three.  By  definition,  IEPPio,a[£(PP>  O,  a)}  =  e.  By  the  argu¬ 
ment  of  knowledge  property  of  the  WI-AOK  (Pwi,  Vwi),  Py\/i  <'l,PP’Q^  outputs  a  valid  witness  with 
probability  at  least  e(pp,  O,  a)  —  ngl(|x|).  It  follows  that  in  the  execution  of  E,  Pwi  outputs  a  valid 
witness  with  probability  at  least  IEpPio,a[£(PP>  O,  a)  —  ngl(|x|)]  >£  —  ngl(|x|). 

We  proceed  to  argue  that  in  the  execution  of  E,  E\n\  can  only  output  a  false  witness  with 
negligible  probability.  Suppose  not,  that  is,  E?wi  outputs  a  false  witness  with  some  noticeable 
probability  e' .  Then  we  will  use  this  fact  to  contradict  the  collision  resistance  property  of  SIGh  We 
do  so  in  the  following  two  steps: 

1.  We  construct  an  efficient  cheating  UA  prover  P(jA  for  (Pua>  Kua)  that  convinces  VyA  with 
probability  poly(e(n)). 

2.  We  use  the  extractor  E\j/\  from  the  weak  argument  of  knowledge  property  of  (PuAiKua) 
together  with  this  P( jA  to  build  a  collision-finder  for  SIGh 

Step  1:  Constructing  jA.  P( jA  internally  emulates  P*  and  proceeds  as  follows. 

•  PyA^PP)  runs  co  P*°(x,  pp),  samples  r  -f-  {0,1} "  and  outputs  y  =  (co,r,  pp)  as  the 

adaptively  chosen  statement. 

•  P(jA(pp)  generates  the  first  prover  message  p\  as  follows:  P(jA(pp)  feeds  r  to  P  ,  receives 
ci  P*°(x,  pp;  r),  and  continues  to  emulate  the  interaction  of  P*°  with  an  honest  V  up 
to  the  end  of  Stage  Two;  let  a  be  the  partial  transcript  and  P*°(x ,  pp;  cc)  be  the  “residual” 
prover.  Then  P(jA  applies  Pwi  on  P*°(x ,  pp;a).  If  Pwi  outputs  a  valid  {pi,P2,  ti,  T2)  £  Rl2) 
then  PyA  outputs  pi .  otherwise,  P(jA  aborts. 

•  Upon  receiving  r'  from  VuAi  Py a  rewinds  P*  until  the  point  where  it  awaits  the  message  r' . 
feeds  r'  to  P*°,  and  receives  C2  4—  P*°(x,pp;r);  let  a'  denotes  the  partial  transcript.  Then 
_P(j A  applies  Pwi  on  P*°(x,  pp;  a').  If  Pwi  outputs  a  valid  {p\  ,p'2.  t[,  t'2)  £  Rl2)  then  PyA 
outputs  p'2,  otherwise,  P(jA  aborts. 


30 


Clearly  by  inspection,  jA  runs  in  expected  polynomial  time.  Furthermore,  we  can  make  PyA 
run  in  strict  polynomial  time  by  cutting  it  off  after  a  certain  polynomial  time  bound  with  only  a 
small  loss  in  its  success  probability.  It  follows  by  an  identical  argument  to  [BG02,  PR05]  that  PyA 
convinces  VyA  to  accept  with  probability  poly(e/).  Roughly,  the  argument  consists  of  counting  “good” 
oracles  and  verifier  messages,  i.e.,  those  that  will  let  the  prover  succeeds  with  “high”  probability  (see 
Claim  4.2.1  in  [BG02] ) ,  together  with  applying  the  binding  property  of  the  commitment  scheme  to 
show  that  the  witnesses  extracted  by  the  two  executions  of  Gyvi  have  consistent  first  prover  messages 
(i.e.,  pi  =  p\ )  except  with  negligible  probability  (See  Lemma  A. 3  in  [PR05]). 

Step  2:  Finding  collision.  We  now  use  PyA  to  break  the  collision  resistant  property  of  sig-com 
tree  corresponding  to  S I G7 ,  which  contradicts  Lemma  6.  Let  1/p  be  a  lower  bound  on  the  success 
probability  of  PyA  for  some  polynomial  p.  Let  PyA  be  the  corresponding  weak  knowledge  extractor 
for  (PjAi  Vua)-  Recall  the  weak  argument  of  knowledge  property  guarantees  that 

Pr[pp,  O  <—  0(ln);cj,iy  <-  {0,  l}°°;y  <-  P{j%}LJ(pp)  :  3iu  =  w1}...wt  G  R  lAv)  s.t. 

Vi  €  [ t],E (PP, y, i)  =  Wi]  >  — 

where  u>,  v  denote  the  random  tapes  of  PyA  and  E\j/\,  respectively,  p'  is  some  polynomial,  and  the 
witness  w  is  of  the  form  (to,  d,  l\,  C,  {pi) ■  To  simplify  the  notation,  let  su c(pp,0,u,uj)  =  1  if 
the  extraction  successfully  extracts  a  valid  witness  w  €  R Li(y)- 

We  construct  a  PPT  adversary  A  that  breaks  the  collision  resistance  property  of  sig-com  tree 
corresponding  to  SIGh  A  on  input  ln  and  vk  with  oracle  access  to  a  signing  oracle  Signsk(-)  proceeds 
as  follows. 

•  A  uses  vk  and  its  signing  oracle  to  emulate  an  0SIG  oracle  with  pp  =  vk  and  O  =  Signsk(-). 

•  A  samples  c v,u>,  and  let  y  4—  C*yAa;(pp),  y  <—  ^(ja^Ipp);  recall  from  our  definition  of  PyA  that 
y  =  (co,  r,  pp),  y  =  (co,  r,  pp)  will  each  contain  the  same  Co  and  pp  components,  while  r  and  f 
are  selected  independently  uniformly  at  random. 

p*0  p*0 

•  A  samples  u,u,  and  applies  E [//////  (pp,  y,  •)  and  (pp,y,-)  to  extract  (part  of)  witnesses 

w  =  (to,  d,  l\,  C,  {/Ojjjgpdi)  and  w  =  (fo,d,l\,C,{pi}i£[2d])  as  follows:  (1)  A  first  extracts 
( d,l\ )  and  ( d,l\ ).  A  aborts  if  the  extraction  fails  at  any  point.  (Note  that  by  the  binding 
property  of  the  commitment,  (d,l\)  =  ( d,l\ )  except  with  negligible  probability.)  (2)  Then  A 
samples  i  <r-  [2d],  and  extracts  (C(,  pt)  and  (Ci,  pi) 

•  If  Ci  /  Ct,  then  A  outputs  ( Pi,Pi,i,l\ )  if  Ci  =  0,  and  ( Pi,Pi,i,l\ )  if  Ct  =  1. 

We  now  show  that  A  can  breaks  the  collision  resistance  property  with  non-negligible  probability. 
Note  that  A  runs  the  knowledge  extraction  twice  with  respect  to  the  same  pp,  O  but  independent 
copies  of  {y,oS)  and  Recall  that  the  extraction  succeeds  with  probability  at  least  1/p'.  For  at 

least  l/(2p')-fraction  of  (pp,  O),  it  holds  that  Pr[suc(pp,  O,  v,  uj)  =  l|(pp,0)]  >  1/(2 p').  Therefore, 
with  probability  at  least  (l/2p')3  over  (pp,  O,  u,  u,  u,  cD),  both  suc(pp,  O ,  u,  u)  =  suc(pp,  O,  z>,  u)  =  1, 
i.e.,  both  extractions  invoked  by  A  succeed. 

Finally,  we  note  that  the  independently  drawn  r  and  r  are  different  with  overwhelming  proba¬ 
bility,  and  so  the  II  and  II  underlying  C  and  C  will  also  be  different  with  overwhelming  probability. 
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Since  we  used  an  error-correcting  code  ECC  with  constant  min-distance,  if  II  7^  II,  then  for  a  ran¬ 
domly  chosen  i,  Ci  7^  Ci  with  constant  probability  c,  meaning  the  two  paths  outputted  by  A  will 
have  different  leaf  labels.  Thus  with  probability  >  c/(2j/)3,  A  successfully  outputs  a  pair  of  colliding 
paths  with  the  same  root  but  different  leaf  labels,  breaking  the  collision  resistance  of  sig-com  trees 
corresponding  to  SIGh  □ 
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